rpm/up2date question
Satish Balay
balay at fastmail.fm
Fri Apr 23 15:20:26 UTC 2004
On Fri, 23 Apr 2004, Kevin M. Shortt wrote:
>
> Hi all,
>
> I am relatively new to RH and fedora.
> I have no production servers in place for either distro and have
> only been playing with it for a short while, so please forgive
> me if I seem to sound clueless with the handling of rpm's and up2date.
>
>
> I am used to downloading the source (for any package) and compiling
> it myself and maintaining it myself. RH/FC has up2date and rpm's.
> I've discovered that the latest version of something available via up2date
> (or even on rpmfind.net) is NOT the latest recommended version on the
> "vendors" site.
>
> For instance, I use openssl. Well www.openssl.org has 0.9.7d available
> and is the recommended stable and secure release of openssl.
> Well the latest version from up2date that I have found is openssl 0.9.7a
> I have only used the one mirror that I have setup thus far.
> On my machine "rpm -qi openssl" returns info on openssl-0.9.7a-33.10.
>
> I am trying to learn the ways of rpm's and get accustomed to it's
> convienence. However, if I need to break from the standard to comply
> with security vulnerabilities on select software, then it's really
> not doing me any good in the long run.
>
> Can anyone remark or comment to help me either correct my ignorance
> or share with me what you do to combat needing to maintain both
> ways of administrating your machines?
>
> Thanks in advance..
Since no one has taken a stab at this yet....
1. You don't want to be replacing critical components with newer
versions - especially openssl. This could break other
packages. There is some discussion about this in fedora-devel
mailing list (don't have the correct url to this discussion)
2. generally redhat backports security pacthes to critical components
(kernel/glibc/openssl/openssh). You can't rely on the version
number to know which fixes are already applied. The changelog is
one place where this info is usually documented.
rpm -q --changelog openssl | grep CAN
http://www.redhat.com/mailman/listinfo/fedora-announce-list
3. wrt long term security fixes fedora-legacy group is picking up the
work afer the EOL from Redhat. You might want to check out
http://www.redhat.com/mailman/listinfo/fedora-legacy-list
http://www.fedoralegacy.org/
4. There are multiple repositoris which provide precompiled rpms for
FC1. You don't have to rebuild these binaries. I rebuild only if I
have to get the rpm from a different distribution (via rpmfind).
And I manage all the repositoires (fedora, extras, dag,
my-local-build-rpms) using yum (instead of up2date) . My experience is
with managing linux on my laptop.
Satish
More information about the fedora-list
mailing list