Fedora Extras is extra

William M. Quarles quarlewm at jmu.edu
Tue Nov 30 04:14:55 UTC 2004 

Michael A. Peters wrote:

> On 11/29/2004 03:07:17 AM, Axel Thimm wrote:
> 
>> Or let me rephrase the problem, why do some people insist that
>> replacing packages is bad? The replacements are obviously done for
>> some reason, and not for reducing stability and security.
> 
> It's bad for several reasons -
> 
> 1) Bugzilla.
> A user has a bug in a program, they report it to bugzilla, clueless to  
> the fact that their Fedora binary was replaced by my package and that  
> the bug may not be present in the Fedora binary.

I might agree with you on that one, except that a user should really run 
an rpm -q package_name (possibly even rpm -qi) before reporting a bug. 
Red Hat's Bugzilla actually requests users to do this task for this 
reason (and has done so at least ever since I started seriously messing 
around with RHL back in the 7.1 days) (-qi is my idea though).

> 2) Security
> Fedora does sometimes patch packages for security.
> Say Fedora puts a security patch in balsa-2.2.4 but the user is running  
> my balsa-2.2.5 package - which also has the vulnerability, but I am not  
> aware of it or the patch.
> 
> Fedora releases a new balsa 2.2.4 package fixing the security issue,  
> but the user doesn't get the update because they have balsa 2.2.5

Not every package has security vulnerabilities.  This also goes against 
what Axel said earlier that the repositories were faster to respond with 
a patched OpenSSH than Red Hat was.  These guys are on top of their game 
and should not be doubted.

In addition (other than the OpenSSH example), I haven't found a 
replacement package yet that had any potential security vulnerabilities 
(see next).

> 3) Newer isn't always better.
> Maybe libfoobar.so.3.3 provides something that a fooripper needs that  
> libfoobar.so.3.2 doesn't provide, but at the same breaks some things  
> that I did not test for when packaging the newer libfoobar.

As pointed out by Dag elsewhere on this thread (I'm proud that I could 
start such a huge one!), "BTW the core packages that are replaced (at 
least from the RPMforge project, FreshRPMS, Dries, Dag and PlanetCCRMA) 
are minor, only for leaf-packages (not libraries) and if there's a real 
need. My website has a Rationale attached to each of these packages." 
So your example is mute.

----
Peace,
William

More information about the users mailing list