<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#44546A;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#44546A;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A">So, maybe I’ve missed something, but is this more complicated than running rpmbuild with different Macros? I’m pretty good with rpms, but I know I don’t always follow Fedora Packaging Guidelines.
I know that our DevOps guys will not want to submit builds to Copr, etc., and may not even use a local chroot to assure than BuildRequires is right.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A">However, if most of the time, they can download a tarball for Python, download the SRPM for rh-python34 or rh-python34, and then run rpmbuild with different options, they would probably be OK,
and I could break the back of that work so that they have some wikis and local knowledge to go from.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A">This is how I complied with security guidelines when I did a lot of rpm building, but generally it was slightly simpler packages than Python. For instance, with Apache httpd, our customers
network scanner would say, you are still running httpd X.Y.Z, and so I would pull the SRPM for httpd from Fedora 16 (going back a ways), take a look at the required libraries and versions on Fedora 16, and compare with CentOS 6, then I would copy the tarball
and adjust version macros for our own custom version of httpd, make sure to include Conflicts with the system package, and so on.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A">So, I understand that SCLs aren’t the only way to have other versions, but SCLs prevent conflicts. It gives RedHat customers a step between tarball and rpm that may conflict. That’s what
I’m looking for.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A">However, <a href="https://www.softwarecollections.org/en/docs/guide/#Creating_Your_Own_Software_Collections">
https://www.softwarecollections.org/en/docs/guide/#Creating_Your_Own_Software_Collections</a> is somewhat imposing, even for me. For our DevOps team, who normally deal with a little bash, a little ansible, and a lot of Jenkins, this is very imposing.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Brian Gollaher [mailto:bgollahe@redhat.com]
<br>
<b>Sent:</b> Thursday, June 29, 2017 12:52 PM<br>
<b>To:</b> Davis, Daniel (NIH/NLM) [C] <daniel.davis@nih.gov>; sclorg@redhat.com<br>
<b>Subject:</b> Re: [scl.org] Python "latest" SCLo<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Yes, thanks Dan. Many security scanning tools look for the latest version and flag older versions as being a potential risk. I wanted to be sure that this is what is happening, rather than collections not receiving security updates fast
enough and actually missing an important CVE.<br>
<br>
On 06/29/2017 11:54 AM, Davis, Daniel (NIH/NLM) [C] wrote:<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A">The DevOps team wants to update to the latest Python as a rule as a security from security mitigation technique. I hope that makes sense.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt;color:#44546A"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Brian Gollaher [<a href="mailto:bgollahe@redhat.com">mailto:bgollahe@redhat.com</a>]
<br>
<b>Sent:</b> Thursday, June 29, 2017 11:50 AM<br>
<b>To:</b> Davis, Daniel (NIH/NLM) [C] <a href="mailto:daniel.davis@nih.gov"><daniel.davis@nih.gov></a>;
<a href="mailto:sclorg@redhat.com">sclorg@redhat.com</a><br>
<b>Subject:</b> Re: [scl.org] Python "latest" SCLo</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">Hi Dan. May I ask a question? Is your security team looking for a fix to a specific security problem or CVE or are they asking that you run the latest version as a rule?<br>
<br>
thanks,<br>
Brian<br>
<br>
On 06/29/2017 11:24 AM, Davis, Daniel (NIH/NLM) [C] wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:14.0pt">I’ve been lurking on this list for a while, and I wanted to bring myself up to date. I noticed some talk of a community SCL for a “latest” Python, which would be a non-patched pure build of Python that is
kept up-to-date by the community. Where is that at? Who is leading it? How can I help?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt">For background, we’ve used rh-python34 for some time, but our security team recently dinged us for sticking with Python 3.4.2, and my DevOps team (who have less time due to tickets), just recompiled Python
3.4.6 blind to get past the security problem. I would have argued we should move to rh-python35, but that would eventually suffer the same problem. What we need is a distribution that keeps up to date, but is still distributed as an rpm.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal">Dan Davis, Systems/Applications Architect (Contractor),<o:p></o:p></p>
<p class="MsoNormal">Office of Computer and Communications Systems,<o:p></o:p></p>
<p class="MsoNormal">National Library of Medicine, NIH<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>SCLorg mailing list<o:p></o:p></pre>
<pre><a href="mailto:SCLorg@redhat.com">SCLorg@redhat.com</a><o:p></o:p></pre>
<pre><a href="https://www.redhat.com/mailman/listinfo/sclorg">https://www.redhat.com/mailman/listinfo/sclorg</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
<br>
<br>
</span><o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Brian Gollaher<o:p></o:p></pre>
<pre>Red Hat Platform Product Management<o:p></o:p></pre>
<pre>Phone: 978 392-3173<o:p></o:p></pre>
<pre>Cell: 508 740-6549<o:p></o:p></pre>
<pre><a href="mailto:briang@redhat.com">briang@redhat.com</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Brian Gollaher<o:p></o:p></pre>
<pre>Red Hat Platform Product Management<o:p></o:p></pre>
<pre>Phone: 978 392-3173<o:p></o:p></pre>
<pre>Cell: 508 740-6549<o:p></o:p></pre>
<pre><a href="mailto:briang@redhat.com">briang@redhat.com</a><o:p></o:p></pre>
</div>
</body>
</html>