tlscache

Alan DeKok aland at deployingradius.com
Tue Sep 3 13:23:56 CEST 2019 

On Sep 3, 2019, at 4:23 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
> That was the Debian way to deal with the auth bypass issue that had popped up
> with tls_cache in 3.0.14 (AFAIR): They try to backport delta patches to
> _whatever_ version Debian stable is shipping at the time (here: 3.0.12).

  i.e. backport patches which they think are important.

  We patch those, plus things *we* think are important.  Like bug fixes.  Which is why we release new versions.

> AFAIK, Ubuntu in turn draws on the Debian packages, but tries to provide
> newer versions, i.e. 3.0.17 here. Looks newer, but seemingly has inherited
> Debians "fix". So you end up with a pseudo-3.0.17 that has tls_cache
> disabled the hard way while upstream things had been fixed very qickly in
> FR 3.0.15.

  If only these people could use "email" to ask us for help.  Typically they don't.

> One could get the impression that certain FR developers don't like this too much cf.
> a similar discussion about openssl issues:
> http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088774.html
> http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088784.html

  I understand that OS distributions hate upgrading.  But the result is a hatred for their end users.  They ship packages which are years out of date, and expect *us* to support them.

  My favourite is the RedHat customers who complain about bugs in 5 year-old versions of the server.  When they're told to use the Network RADIUS packages, they say "Oh we can't upgrade, we're buying support from RedHat!"

  Well, then either tell RedHat to stop being idiots and *support* you by fixing the bugs, OR stop paying RedHat for services which they're not providing.

  Those choices confuse people.

> Watching this pseudo-3.0.17 thing really makes me think Alan&Alan are plain right.

  That makes me happy.  :)

> While using Debian/Ubuntu as a base might save you some hassles, there are
> serious limits to their approach. To run a productive FR server, either compile
> yourself or get .debs from https://networkradius.com/freeradius-packages/

  That's why we provide the packages.  We want to have people use the latest releases, so those packages are available for free.  And unlike RedHat, we don't charge you money for providing 5 year-old software.

  Alan DeKok.

More information about the Freeradius-Users mailing list