On Mon, Aug 08, 2005 at 08:20:25AM -0700, Kris Benson wrote:
> FreeRadius users mailing list <freeradius-users at> on
> August 7, 2005 at 11:16 -0800 wrote:
> >On Sun, 7 Aug 2005 15:05:50 +0100

> >Install FreeBSD, go to /usr/ports/net/freeradius and simply type make
> >install clean
> >Voila, all you need including dependiences will be automatically
> >installed on your system.
> >Or if you wanna go for a BSD wannabe in the Linux world, use Gentoo,
> >there you just type emerge freeradius and you get the same result as on
> >BSD.
> >Dealing with Debian you either get outdated applications or pretty
> >unstable system, depending of the Debian branch you may want to use.
> >Please keep in mind this is my subjective opinion based on my long time
> >experience.
> >And BTW, the version you are trying to install is also outdated and with
> >known security issues.

> Dude!  He's trying to install the most recent version: 1.0.4... While I
> would agree that FreeBSD is generally a better choice than any Linux
> variant, YMMV.

> You are right about outdated packages -- the Debian Freeradius package is
> v1.0.2... and comes without EAP-TLS and anything that requires it.

(This is directed at both the preceeding posters. I just didn't want to
type it out twice. ^_^)

You may want to do a modicum of research before throwing aspersions.
Given that Debian/Sarge predated FreeRADIUS 1.0.4 (and 1.0.3), and the
FreeRADIUS 1.0.2 package in Debian/Sarge contains all of the essential
security and bug fixes that differentiate it from 1.0.4 [1], I'd hardly
call it outdated. _I_ think it's the best 1.0.2-based version available
for the time, and it's still serving _me_ quite well. If there were any
other security problems, a new version would be put into Debian/sarge,
so it's not like it's bitrotting into a security hole. (This is true of
Debian/sarge in general.)

Debian/sid and Debian/etch obviously contain FreeRADIUS 1.0.4 + whatever
fixes will differentiate it from 1.0.5, as appropriate. [2]

And the exclusion of EAP/TLS is due to the well documented conflict
between the GPL license of rlm_eap_tls and the OpenSSL license, which
makes distributing binaries of rlm_eap_tls that link against openssl
impossible, legally. And since there are several various sets of
instructions on building your own copy of FreeRADIUS for Debian with
eap-tls included, I don't feel that not distributing unlicensed binaries
is a big loss compared to distributing unlicensed binaries.

And I'm not going to even start on people who think the solution to any
computer problem is "Blow away what you've got, install my favorite OS,
and do things my way".

I put time and effort into the Debian FreeRADIUS package, to make it the
best it can be. You're welcome to level criticisms at it (Debian has a
whole BTS to do that in ^_^) but "the packages sucks and is outdated and
has security holes" based entirely on the upstream version number is a
little on the wrong side of criticism for me.

I'm also gonna resist the temptation to baselessly attack FreeBSD. Any
opions I have on FreeBSD have been formed through FreeRADIUS, and as
such are well documented on the freeradius-devel list. Certainly the
preceeding preceeding poster demonstrated that their long experience may
also have been a long time ago, back when Debian was only Stable and
Unstable (Circa 1998 I think) and possible hadn't grasped the essential
nature of the Debian distributions beyond their names. (Just like the
essential nature of the FreeRADIUS version not being grasped beyond the
upstream version number.) I think I'm sensing a theme here of judging
books by their covers.


Paul "TBBle" Hampson, on an alternate email client.

