Thank you

This survey is now closed. I will be making a summary of the results available soon.

FreeBSD Security Survey

While the FreeBSD Security Team has traditionally been very good at investigating and responding to security issues in FreeBSD, this only solves half of the security problem: Unless users and administrators of FreeBSD systems apply the security patches provided, the advisories issued accomplish little beyond alerting potential attackers to the presence of vulnerabilities.

The Security Team has been concerned for some time by anecdotal reports concerning the number of FreeBSD systems which are not being promptly updated or are running FreeBSD releases which have passed their End of Life dates and are no longer supported. In order to better understand which FreeBSD versions are in use, how people are (or aren't) keeping them updated, and why it seems so many systems are not being updated, I have put together a short survey of 12 questions. The information gathered will inform the work done by the Security Team, as well as my own personal work on FreeBSD this summer.

If you administrate system(s) running FreeBSD (in the broad sense of "are responsible for keeping system(s) secure and up to date"), please complete the survey below before May 31st, 2006.


1. How many FreeBSD systems do you administrate?
1	2-5	6-10
11-100	101-1000	1001+

2. Where do you use FreeBSD? (check all that apply)
work	school	home
other, please state:

3. Which FreeBSD versions do you use? (check all that apply)
2.x	3.x	4.0 - 4.9
4.10	4.11	5.0 - 5.2.1
5.3	5.4	5.5
6.0	6.1
other, please state:

4. If you are using FreeBSD 2.x or 3.x, FreeBSD 4.x prior to 4.10, or FreeBSD 5.x prior to 5.3, why haven't you upgraded to a newer release? (check all that apply)
too difficult / not enough time
using software which doesn't support later versions of FreeBSD
don't see any reason to upgrade
don't know how to upgrade
other reason, please state:

5. Are you subscribed to a mailing list which distributes FreeBSD Security Advisories? (Advisories are sent to the freebsd-announce, freebsd-security, freebsd-security-notifications, and bugtraq lists).
yes	no

6. Do you normally apply security patches issued by the FreeBSD Security Team and announced via Security Advisories?
yes	yes, if the advisory says that I'm affected	no

7. How do you apply security patches? (if multiple options apply, pick the one which applies to the most systems you administrate)
by hand, using buildworld/installworld or buildkernel/installkernel
using FreeBSD Update
other, please state:
I don't apply security patches

8. If you don't use FreeBSD Update, why not? (check all that apply)
need a custom kernel configuration
have local patches to the source tree
use non-i386 systems
track a -stable or -current branch instead of a release
wasn't aware of FreeBSD Update
don't apply security patches
other reason, please state:

9. On average, how frequently do you update the ports tree on systems you administrate (via CVSup, "portsnap fetch", or other means)?
every day
at least once a week
at least once a month
less than once a month
I never update / don't use the FreeBSD ports tree

10. How do you update the FreeBSD ports tree on systems you administrate? (if multiple options apply, pick the one which applies to the most systems you administrate)
CVSup
portsnap
other, please state:
I never update / don't use the FreeBSD ports tree

11. If you don't use portsnap, why not? (check all that apply)
CVSup works fine
want to keep local changes to the ports tree
wasn't aware of portsnap
never update / don't use the FreeBSD ports tree
other reason, please state:

12. Do you use portaudit to warn you about installed ports with security flaws?
yes	no