rpm/up2date question

Satish Balay balay at fastmail.fm
Fri Apr 23 15:20:26 UTC 2004 


On Fri, 23 Apr 2004, Kevin M. Shortt wrote:

> 
> Hi all,
> 
> I am relatively new to RH and fedora.
> I have no production servers in place for either distro and have
> only been playing with it for a short while, so please forgive
> me if I seem to sound clueless with the handling of rpm's and up2date.
> 
> 
> I am used to downloading the source (for any package) and compiling
> it myself and maintaining it myself. RH/FC has up2date and rpm's.
> I've discovered that the latest version of something available via up2date
> (or even on rpmfind.net) is NOT the latest recommended version on the
> "vendors" site.
> 
> For instance, I use openssl. Well www.openssl.org has 0.9.7d available
> and is the recommended stable and secure release of openssl.
> Well the latest version from up2date that I have found is openssl 0.9.7a
> I have only used the one mirror that I have setup thus far.
> On my machine "rpm -qi openssl" returns info on openssl-0.9.7a-33.10.
> 
> I am trying to learn the ways of rpm's and get accustomed to it's
> convienence. However, if I need to break from the standard to comply
> with security vulnerabilities on select software, then it's really
> not doing me any good in the long run.
> 
> Can anyone remark or comment to help me either correct my ignorance
> or share with me what you do to combat needing to maintain both
> ways of administrating your machines?
> 
> Thanks in advance..

Since no one has taken a stab at this yet....

1. You don't want to be replacing critical components with newer
   versions - especially openssl. This could break other
   packages. There is some discussion about this in fedora-devel
   mailing list (don't have the correct url to this discussion)

2. generally redhat backports security pacthes to critical components
   (kernel/glibc/openssl/openssh). You can't rely on the version
   number to know which fixes are already applied. The changelog is
   one place where this info is usually documented.

rpm -q --changelog openssl | grep CAN
http://www.redhat.com/mailman/listinfo/fedora-announce-list

3. wrt long term security fixes fedora-legacy group is picking up the
   work afer the EOL from Redhat.  You might want to check out

http://www.redhat.com/mailman/listinfo/fedora-legacy-list
http://www.fedoralegacy.org/

4. There are multiple repositoris which provide precompiled rpms for
   FC1. You don't have to rebuild these binaries. I rebuild only if I
   have to get the rpm from a different distribution (via rpmfind).

And I manage all the repositoires (fedora, extras, dag,
my-local-build-rpms) using yum (instead of up2date) . My experience is
with managing linux on my laptop.

Satish

More information about the fedora-list mailing list