Quoting Michal Schmidt (2012-06-14 15:10:56)
On 06/14/2012 02:59 PM, Stanislav Ochotnicky wrote:
> +%triggerun -- jetty < 8.1.2-9
You already have one triggerun for jetty in the spec:
%triggerun -- jetty < 8.1.0-3
You're likely to hit this RPM bug:
https://bugzilla.redhat.com/show_bug.cgi?id=702378
I guess this in itself solves the problem for us. We can't fix user
systems properly ergo...
> +/bin/systemctl --no-reload disable jetty.service >/dev/null
2>&1 ||:
> +/bin/systemctl --no-reload stop jetty.service >/dev/null 2>&1 ||:
>
> This trigger will do following:
> If we are updating from previous releases, we disable the service and
> stop it if it's running
I dislike this, because:
- You'd just break some users' systems for the sake of a different
subset of users.
- Some breakage during distribution upgrade is more tolerable than
breakage within regular updates.
Well not anymore, I'll just describe it in the bodhi update.
Is a running jetty really _that_ dangerous? Why do we ship it at all
then? ;-)
Why do we ship Apache, tomcat and tens (hundrets?) of other useful
packages? Jetty unlike most packages _is_ remotely accessible so the
attack surface is rather large.
If you wrote that in a jest, then sorry but I don't take my mistake that
could compromise security of Fedora's users that lightly.
Bummer...
--
Stanislav Ochotnicky <sochotnicky(a)redhat.com>
Software Engineer - Base Operating Systems Brno
PGP: 7B087241
Red Hat Inc.
http://cz.redhat.com