[prev in list] [next in list] [prev in thread] [next in thread] 

List:       centos
Subject:    Re: [CentOS] This doesn't make sense
From:       Lamar Owen <lowen () pari ! edu>
Date:       2011-09-23 17:57:07
Message-ID: 201109231357.07573.lowen () pari ! edu
[Download RAW message or body]

On Friday, September 23, 2011 01:29:51 PM Dennis Jacobfeuerborn wrote:
> What you are suggesting here is that people should expect centos systems to 
> be insecure and go the RHEL if they want secure systems.

If the timeliness of security updates is essential/critical you cannt get faster \
updates than with the upstream paid subscription; it is impossible for a rebuild to \
release the update before it's posted.  So, yeah, if getting the fix the quickest is \
mission-critical then a subscription to upstream should be purchased.  If you can't \
afford or don't want to pay for a subscription, then you have two options:

1.) Build and test it yourself;
2.) Wait on someone else to build it and test it, where 'someone else' can be an \
individual or one of the rebuild projects, of which CentOS has the largest \
distribution with SL next largest.

If you can't wait and can't build it and can't pay for a subscription, then you have \
two options: 1.) Get your server off the net immediately;
2.) Be insecure until you get the update.

> Have you pondered the moral implications of your statement? Does that mean 
> that the centos project is perfectly fine with knowingly distributing a 
> system that insecure and a danger not only to its users but to others as well?

All systems are insecure.  Updates are for the known holes; there are and always will \
be unknown holes.  

Have you pondered the moral implications of knowlingly installing insecure software \
and placing it on the public internet?  Oh, wait, it's not a moral issue, since there \
is no such thing as secure software.

> Drop whatever 6.x related things you are 
> doing, build the package, put it online, make an announcement and then get 
> back to the regular schedule. 

You are missing some highly important steps.  Let me summarize:
1.) Get source RPM(s) for the update from upstream.  Upstream's source RPM's for the \
updates have been known to be delayed, sometimes for quite a while; 2.) Build;
3.) Verify binary compatibility (that is, does it have identical binary dependencies \
on identical versions of dependencies, verifying that it was built in an identical \
buildroot as upstream?) (you do realize that a given source RPM can be built to \
generate very different and potentially incompatible binary RPMs depending upon the \
contents of the buildroot, right?); 4.) QA the package to make sure other people with \
various systems can install and use the package, and that it really does fix the \
problem; 5.) Make sure the resulting repository is 'closed' (that is, in a consistent \
state so people updating don't get nasty surprises); 6.) Seed the mirror system.  A \
large package update set can take a significant amount of time to propagate; 7.) \
Announce, and wait on the inevitable bug reports and complaints that it broke users' \
systems.

Sounds like fun, no?
 
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic