Security updates are too slow or none existant
pros-n-cons at bak.rr.com
Sun Feb 8 01:42:21 UTC 2004
On Sat, 07 Feb 2004 14:46:01 -0800
"Nathan G. Grennan" <fedora-list at cygnusx-1.org> wrote:
> The difference in speed of release of updates, or the release of the
> updates at all seems to have greatly changed with time between Red Hat
> Linux 9 and Fedora Core 1. This seems to be a confirmation of my fears.
> If you compare the Red Hat Linux 9 errata list over the last few months
> to Fedora's updates list you see delays or lack of releases for Fedora
> Core 1 that were made for Red Hat Linux 9. Examples, mailman(only in
> Fedora Core 1 updates testing), slocate(4 days late), mc(no update),
> tcpdump(no update), and httpd(3 weeks late). The emerging policy inside
> Red Hat for Fedora Core is something like be as lazy as you want to be
> about security updates. The net effect seems to be many local exploits,
> and remote exploits attackable for too long. You might question if this
> is just a case of different packages and versions between Red Hat Linux
> 9 and Fedora Core 1. I did look at the Red Hat 9 errata closely for
> affected versions, and compared dates. In the above cases Fedora Core 1
> should be in the affected list.
> There are also issues that end up isolated to Fedora Core 1, like the
> current situation with gaim. There are vulnerabilities in gaim(patch
> available, Debian has used it) and there is no sign of a patched rpm for
> So Red Hat is neglecting Fedora Core 1's security. This is very
> disturbing. It is made worse from my perspective by talk of community
> involvement in packaging, but then almost none exists. The community
> could put a lot of effort into security releases to take some of the
> burden off Red Hat. Then it job would be to confirm it and release it.
> At the very least it would get things into updates testing faster, and
> hence make them more available.
> URL about errata/updates:
I agree, the security fixes have been horrid and confusing. I don't expect
Red Hat to take this problem up as actively as they do for RHEL. I remember
one RH employee (nottingham?) called for a tool to parse advisories in python
and output into XML. I suspect this is needed to get some organization for them
to apply things more efficiently. If I knew either of these languages I'd have
been working on it for the last week. Can you code in them? I suspect they are
working on ways to get more community involvement but policies are on the back burner
at the moment or being worked on at a lower precedence to other issues. When Red Hat gets some guidelines together on how and what they want from us I think pieces
will start coming together. Just speculation on my part at this point.
More information about the users