Mantis and "difficult" upgrades (Was: Fedora Extras 3)
Dennis Gilmore
dennis at ausil.us
Mon May 22 15:11:33 UTC 2006
> A quick chat with the packager of mantis (which is responsible for
> five open CVEs on FE3 and FE4) shows that updates to 1.0.3 are
> forthcoming for FE5 (which should fix CVE-2006-1577) but there is no
> clean update path for FE3 and FE4 due to schema changes. There are
> supposedly some scripts which will do the necessary schema updates.
>
> It looks like backporting anything would be unreasonable, although I
> haven't looked closely at the source.
>
> So, a dilemma:
> 1) Push a naive update and break systems, leaving the admins to run
> the schema updates.
Not Good but probably fairly wise attach to the announcement the need
for manual admin intervention. If the upgrade scripts do not work then
the admin should be prepared to fix things by hand.
> 2) Run them automatically and hope they actually work.
Bad if it could break things badly. better to make sure that the admin
is aware of what is needed. Could be ok with sufficient testing
> 3) Leave things as they are (insecure).
Not good and another reason to EOL FE3
> 4) Work in earnest to try to backport patches or come up with our own
> fixes.
May be best bet. though schema updates should be taken into
consideration. If i updated my FC3 or FC4 systems to FC5 there should
be a proper upgrade path.
> The maintainer also suggested that we pull mantis from FE3, although
> that can't do anything for existing installations. (He doubts there
> are any.)
Hard to say without stats from mirrors
Id rather not pull it. Its very hard to get the info out to everyone
who may be intrested. I know that some people rebuild my extras rebuild
on Aurora. I guess they don't trust my builds but they use the SRPMS i
publish.
Dennis
More information about the Fedora-security-list
mailing list