LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

September 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS September 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA ... on SL6.x and Older
From:	Nico Kadel-Garcia <[log in to unmask]>
Reply To:	Nico Kadel-Garcia <[log in to unmask]>
Date:	Sun, 24 Sep 2017 20:37:20 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (38 lines)

On Sun, Sep 24, 2017 at 2:48 PM, Nico Kadel-Garcia <[log in to unmask]> wrote:
> On Sat, Sep 23, 2017 at 3:52 PM, Keith Lofstrom <[log in to unmask]> wrote:
>> On Tue, Sep 19, 2017 at 11:47 PM, Bill Maidment <[log in to unmask]> wrote:
>>> So much for security issue support for 10 years. Probably best to assume
>>> only 7 years in real life.
>>
>> On Wed, Sep 20, 2017 at 07:24:25AM -0700, Akemi Yagi wrote:
>>> Here's the description about "Production 3 phase":
>>> "During the Production 3 Phase, Critical impact Security Advisories
>>> (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be
>>> released as they become available. Other errata advisories may be delivered
>>> as appropriate."
>>> So, yes, not all security updates are available once RHEL (therefore
>>> Scientific Linux) goes into that phase.
>>
>> In a larger sense: how much work is it to semi-automate
>> the process of backporting all these security fixes from
>> SL6 and SL7 to earlier distros?
>
>> While SL7 follows what RedHat does (and rightly so),
>> perhaps there are enough of us here (and using CentOS
>> for similar reasons) to fork a "superstable" distro
>> and pay a few people to support the fork.

Come to think of it, three examples of the difficulties come to mind.
Subversion (for which I used to publish RPMs over at rpmforge), Samba,
and htpd. Backporting Subversion was a pain: the individual patches
were not compatible with obsolete versions of Subversion, and newer
versions had considerable library update requirements, such as mod_svn
(for a while), and later serf (which required a much newer version of
serf). Samba.... requires a profoundly updated gnutls for current
releases with current architectural support. It got much better when
cifsutils became an independent package, but backporting features was
not pretty. I worked with that for various Samba feature requirement
easons. And httpd, oh dear lord, when Apache 1.x became httpd-2.x,
*everything* became a dependency adventure, especially due to some
very funky numbering and perl module dependency confusion for mod_ssl.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV