On Fri, 23 Apr 2004, Kevin M. Shortt wrote: > > Hi all, > > I am relatively new to RH and fedora. > I have no production servers in place for either distro and have > only been playing with it for a short while, so please forgive > me if I seem to sound clueless with the handling of rpm's and up2date. > > > I am used to downloading the source (for any package) and compiling > it myself and maintaining it myself. RH/FC has up2date and rpm's. > I've discovered that the latest version of something available via up2date > (or even on rpmfind.net) is NOT the latest recommended version on the > "vendors" site. > > For instance, I use openssl. Well www.openssl.org has 0.9.7d available > and is the recommended stable and secure release of openssl. > Well the latest version from up2date that I have found is openssl 0.9.7a > I have only used the one mirror that I have setup thus far. > On my machine "rpm -qi openssl" returns info on openssl-0.9.7a-33.10. > > I am trying to learn the ways of rpm's and get accustomed to it's > convienence. However, if I need to break from the standard to comply > with security vulnerabilities on select software, then it's really > not doing me any good in the long run. > > Can anyone remark or comment to help me either correct my ignorance > or share with me what you do to combat needing to maintain both > ways of administrating your machines? > > Thanks in advance.. Since no one has taken a stab at this yet.... 1. You don't want to be replacing critical components with newer versions - especially openssl. This could break other packages. There is some discussion about this in fedora-devel mailing list (don't have the correct url to this discussion) 2. generally redhat backports security pacthes to critical components (kernel/glibc/openssl/openssh). You can't rely on the version number to know which fixes are already applied. The changelog is one place where this info is usually documented. rpm -q --changelog openssl | grep CAN http://www.redhat.com/mailman/listinfo/fedora-announce-list 3. wrt long term security fixes fedora-legacy group is picking up the work afer the EOL from Redhat. You might want to check out http://www.redhat.com/mailman/listinfo/fedora-legacy-list http://www.fedoralegacy.org/ 4. There are multiple repositoris which provide precompiled rpms for FC1. You don't have to rebuild these binaries. I rebuild only if I have to get the rpm from a different distribution (via rpmfind). And I manage all the repositoires (fedora, extras, dag, my-local-build-rpms) using yum (instead of up2date) . My experience is with managing linux on my laptop. Satish
