Re: Fedora Extras is extra

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michael A. Peters wrote:

On 11/29/2004 03:07:17 AM, Axel Thimm wrote:

Or let me rephrase the problem, why do some people insist that
replacing packages is bad? The replacements are obviously done for
some reason, and not for reducing stability and security.


It's bad for several reasons -

1) Bugzilla.
A user has a bug in a program, they report it to bugzilla, clueless to the fact that their Fedora binary was replaced by my package and that the bug may not be present in the Fedora binary.

I might agree with you on that one, except that a user should really run an rpm -q package_name (possibly even rpm -qi) before reporting a bug. Red Hat's Bugzilla actually requests users to do this task for this reason (and has done so at least ever since I started seriously messing around with RHL back in the 7.1 days) (-qi is my idea though).

2) Security
Fedora does sometimes patch packages for security.
Say Fedora puts a security patch in balsa-2.2.4 but the user is running my balsa-2.2.5 package - which also has the vulnerability, but I am not aware of it or the patch.

Fedora releases a new balsa 2.2.4 package fixing the security issue, but the user doesn't get the update because they have balsa 2.2.5

Not every package has security vulnerabilities. This also goes against what Axel said earlier that the repositories were faster to respond with a patched OpenSSH than Red Hat was. These guys are on top of their game and should not be doubted.

In addition (other than the OpenSSH example), I haven't found a replacement package yet that had any potential security vulnerabilities (see next).

3) Newer isn't always better.
Maybe libfoobar.so.3.3 provides something that a fooripper needs that libfoobar.so.3.2 doesn't provide, but at the same breaks some things that I did not test for when packaging the newer libfoobar.

As pointed out by Dag elsewhere on this thread (I'm proud that I could start such a huge one!), "BTW the core packages that are replaced (at least from the RPMforge project, FreshRPMS, Dries, Dag and PlanetCCRMA) are minor, only for leaf-packages (not libraries) and if there's a real need. My website has a Rationale attached to each of these packages." So your example is mute.

----
Peace,
William

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux