Fedora Extras is extra

Axel Thimm Axel.Thimm at ATrpms.net
Tue Nov 30 00:10:14 UTC 2004


On Mon, Nov 29, 2004 at 06:54:08PM +0000, Michael A. Peters wrote:
> On 11/29/2004 03:07:17 AM, Axel Thimm wrote:
> > Or let me rephrase the problem, why do some people insist that
> > replacing packages is bad? The replacements are obviously done for
> > some reason, and not for reducing stability and security.
> 
> It's bad for several reasons -
> 
> 1) Bugzilla.
> A user has a bug in a program, they report it to bugzilla, clueless to  
> the fact that their Fedora binary was replaced by my package and that  
> the bug may not be present in the Fedora binary.

rpm -qi is your friend, and I have not seen one bug at
bugzilla.redhat.com that was accidentially for a 3rd party repo (not
that I exclude that there will be any, but this hasn't ever been
articulated to be a problem).

After all one of the first entries you have to make is the
version-release of the package.

> 2) Security
> Fedora does sometimes patch packages for security.
> Say Fedora puts a security patch in balsa-2.2.4 but the user is running  
> my balsa-2.2.5 package - which also has the vulnerability, but I am not  
> aware of it or the patch.

That's not confined to packages replacing core packages. If your
package has a security flaw, be it a replacement or not, you need to
fix it, otherwise you leave open holes on your users' systems. In fact
the situation is worse with non-replaced packages, as for replacements
there is a good chance that the updated core packages will close your
security hole (and a lot of replaced packages have a versioning scheme
to automatically fallback to the security updated vendor package,
e.g. see the ATrpms' kernels).

> Fedora releases a new balsa 2.2.4 package fixing the security issue,  
> but the user doesn't get the update because they have balsa 2.2.5
> 
> 3) Newer isn't always better.

That's hardly a focus for the patches/updates/replacements. "Newer is
better" is rawhide's job. The largest part of the updates are due to
other packages requiring it.

> Maybe libfoobar.so.3.3 provides something that a fooripper needs that  
> libfoobar.so.3.2 doesn't provide, but at the same breaks some things  
> that I did not test for when packaging the newer libfoobar.
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041130/248799fb/attachment-0001.sig>


More information about the fedora-list mailing list