Keeping FC up to date with RHEL packages?

James Wilkinson james at westexe.demon.co.uk
Thu Oct 14 22:12:08 UTC 2004 

thomas.cameron at camerontech.com wrote:
> I know that RHEL 3 is basically the "enterprise" version of Red Hat Linux
> 9.  I know that FC1 was basically what Red Hat Linux 10 would've been had
> Red Hat not made the changes they made.
> 
> So here's my question...  Is it possible to keep, say FC1 up to date using
> RHEL packages?  I mean grabbing the .src.rpm from a mirror and compiling
> it?

http://fedora.redhat.com/about/faq/ says:

Q: Will Red Hat's supported products contain all the packages found in
   Fedora Core?

A: In order to focus our efforts and limit support costs, we will
   probably select a subset of packages found in Fedora Core to include
   in the supported product line.

So those packages not in RHEL will (obviously) not be updated by RHEL
updates.

Now, especially since you're proposing compiling from source, updated
packages from the "right" RHEL should compile and install on the "right"
Fedora. If you're lucky, they will even satisfy the right dependencies,
so that you can install them without having to break other packages that
depend on them.

These packages will have the security fixes for issues within a package,
and these are the most common. However, there is another, more subtle,
form of security bug, where another package doesn't work quite the way
a programmer thinks it does. If you're unlucky, only certain versions of
the other package won't quite work the way that programmer thinks they
do.

(Example: I look after AIX boxes at work. They run OpenSSH, which I
compile from source, since it was taking a while for new AIX packages to
appear. And I use gcc, because it's there and the native AIX compiler
costs money.

There was a security vulnerability on AIX in versions prior to 3.6.1p2,
because the AIX linker works slightly differently to the rest of the
world [1], and if gcc was used, the OpenSSH build scripts would use it
and the AIX linker in such a way that setuid binaries would be
vulnerable. [2] )

Now the libraries and compiler support on RHEL will be at different
versions to the FC ones. So it is possible that you'll get security
problems like the one I got.

So basically, you'd have to track all the advisory lists, check reported
bugs, and make sure that you weren't vulnerable. And you'd have to have
plans for what happens if RHEL doesn't need a fix, but you do.

It's possible. But it would be a lot easier just to track White Box
Linux.

Hope this helps,

James.

[1] This is not uncommon on AIX.

[2] It wasn't a remote access vulnerability, "just" an escalation of
privilege vulnerability.

-- 
E-mail address: james | "The duke had a mind that ticked like a clock and,
@westexe.demon.co.uk  | like a clock, it regularly went cuckoo."
                      |     -- Terry Pratchett, Wyrd Sisters

More information about the fedora-list mailing list