On Sat, 07 Feb 2004 14:46:01 -0800 "Nathan G. Grennan" <fedora-list@xxxxxxxxxxxxx> wrote: > The difference in speed of release of updates, or the release of the > updates at all seems to have greatly changed with time between Red Hat > Linux 9 and Fedora Core 1. This seems to be a confirmation of my fears. > If you compare the Red Hat Linux 9 errata list over the last few months > to Fedora's updates list you see delays or lack of releases for Fedora > Core 1 that were made for Red Hat Linux 9. Examples, mailman(only in > Fedora Core 1 updates testing), slocate(4 days late), mc(no update), > tcpdump(no update), and httpd(3 weeks late). The emerging policy inside > Red Hat for Fedora Core is something like be as lazy as you want to be > about security updates. The net effect seems to be many local exploits, > and remote exploits attackable for too long. You might question if this > is just a case of different packages and versions between Red Hat Linux > 9 and Fedora Core 1. I did look at the Red Hat 9 errata closely for > affected versions, and compared dates. In the above cases Fedora Core 1 > should be in the affected list. > > There are also issues that end up isolated to Fedora Core 1, like the > current situation with gaim. There are vulnerabilities in gaim(patch > available, Debian has used it) and there is no sign of a patched rpm for > Fedora. > > So Red Hat is neglecting Fedora Core 1's security. This is very > disturbing. It is made worse from my perspective by talk of community > involvement in packaging, but then almost none exists. The community > could put a lot of effort into security releases to take some of the > burden off Red Hat. Then it job would be to confirm it and release it. > At the very least it would get things into updates testing faster, and > hence make them more available. > > > URL about errata/updates: > > https://rhn.redhat.com/errata/rh9-errata.html > http://fedoranews.org/updates/ > > > -- I agree, the security fixes have been horrid and confusing. I don't expect Red Hat to take this problem up as actively as they do for RHEL. I remember one RH employee (nottingham?) called for a tool to parse advisories in python and output into XML. I suspect this is needed to get some organization for them to apply things more efficiently. If I knew either of these languages I'd have been working on it for the last week. Can you code in them? I suspect they are working on ways to get more community involvement but policies are on the back burner at the moment or being worked on at a lower precedence to other issues. When Red Hat gets some guidelines together on how and what they want from us I think pieces will start coming together. Just speculation on my part at this point.
