The difference in speed of release of updates, or the release of the updates at all seems to have greatly changed with time between Red Hat Linux 9 and Fedora Core 1. This seems to be a confirmation of my fears. If you compare the Red Hat Linux 9 errata list over the last few months to Fedora's updates list you see delays or lack of releases for Fedora Core 1 that were made for Red Hat Linux 9. Examples, mailman(only in Fedora Core 1 updates testing), slocate(4 days late), mc(no update), tcpdump(no update), and httpd(3 weeks late). The emerging policy inside Red Hat for Fedora Core is something like be as lazy as you want to be about security updates. The net effect seems to be many local exploits, and remote exploits attackable for too long. You might question if this is just a case of different packages and versions between Red Hat Linux 9 and Fedora Core 1. I did look at the Red Hat 9 errata closely for affected versions, and compared dates. In the above cases Fedora Core 1 should be in the affected list. There are also issues that end up isolated to Fedora Core 1, like the current situation with gaim. There are vulnerabilities in gaim(patch available, Debian has used it) and there is no sign of a patched rpm for Fedora. So Red Hat is neglecting Fedora Core 1's security. This is very disturbing. It is made worse from my perspective by talk of community involvement in packaging, but then almost none exists. The community could put a lot of effort into security releases to take some of the burden off Red Hat. Then it job would be to confirm it and release it. At the very least it would get things into updates testing faster, and hence make them more available. URL about errata/updates: https://rhn.redhat.com/errata/rh9-errata.html http://fedoranews.org/updates/
