thomas.cameron@xxxxxxxxxxxxxxx wrote: > I know that RHEL 3 is basically the "enterprise" version of Red Hat Linux > 9. I know that FC1 was basically what Red Hat Linux 10 would've been had > Red Hat not made the changes they made. > > So here's my question... Is it possible to keep, say FC1 up to date using > RHEL packages? I mean grabbing the .src.rpm from a mirror and compiling > it? http://fedora.redhat.com/about/faq/ says: Q: Will Red Hat's supported products contain all the packages found in Fedora Core? A: In order to focus our efforts and limit support costs, we will probably select a subset of packages found in Fedora Core to include in the supported product line. So those packages not in RHEL will (obviously) not be updated by RHEL updates. Now, especially since you're proposing compiling from source, updated packages from the "right" RHEL should compile and install on the "right" Fedora. If you're lucky, they will even satisfy the right dependencies, so that you can install them without having to break other packages that depend on them. These packages will have the security fixes for issues within a package, and these are the most common. However, there is another, more subtle, form of security bug, where another package doesn't work quite the way a programmer thinks it does. If you're unlucky, only certain versions of the other package won't quite work the way that programmer thinks they do. (Example: I look after AIX boxes at work. They run OpenSSH, which I compile from source, since it was taking a while for new AIX packages to appear. And I use gcc, because it's there and the native AIX compiler costs money. There was a security vulnerability on AIX in versions prior to 3.6.1p2, because the AIX linker works slightly differently to the rest of the world [1], and if gcc was used, the OpenSSH build scripts would use it and the AIX linker in such a way that setuid binaries would be vulnerable. [2] ) Now the libraries and compiler support on RHEL will be at different versions to the FC ones. So it is possible that you'll get security problems like the one I got. So basically, you'd have to track all the advisory lists, check reported bugs, and make sure that you weren't vulnerable. And you'd have to have plans for what happens if RHEL doesn't need a fix, but you do. It's possible. But it would be a lot easier just to track White Box Linux. Hope this helps, James. [1] This is not uncommon on AIX. [2] It wasn't a remote access vulnerability, "just" an escalation of privilege vulnerability. -- E-mail address: james | "The duke had a mind that ticked like a clock and, @westexe.demon.co.uk | like a clock, it regularly went cuckoo." | -- Terry Pratchett, Wyrd Sisters
