On 04/25/2014 10:27 AM, olli hauer wrote: > On 2014-04-25 15:25, Pat Riehecky wrote: >> On 04/24/2014 04:21 PM, Orion Poplawski wrote: >>> On 10/17/2013 02:27 PM, Connie Sieh wrote: >>>> ---------- Forwarded message ---------- >>>> Date: Thu, 17 Oct 2013 15:25:39 -0500 >>>> From: Connie Sieh <[log in to unmask]> >>>> To: [log in to unmask] >>>> Subject: Software Collections 1.0 is available for SL 6 >>>> >>>> The following TUV "software collection" products are now available for SL 6. >>>> >>>> A README with info about yum repos for these packages is available from >>>> ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti >>>> ons/README >>> Any chance of yum-conf-softwarecollections ending up in the main SL repos? >>> >>> >> That's an interesting idea. Lets take it to the devel list and see what people think. > @me not subscribed to the devel@ list so giving my rant here. > > The versions provided in softwarecollections have almost already known vulnerabilities. > > Picking only the latest CVE entires retrieved after softwarecollections publish date. > > php-5.4: CVE-2013-6420 > postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067 > python27 / python33: CVE-2014-1912 > ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 CVE-2013-6417 > > Until the collection gets more notice from upstream I don't think it is a good idea to provide yum-conf-softwarecollection. > Yikes! Any one report these CVEs to upstream to make sure they didn't get misplaced? Pat -- Pat Riehecky Scientific Linux developer http://www.scientificlinux.org/