On Mon, Nov 29, 2004 at 06:54:08PM +0000, Michael A. Peters wrote: > On 11/29/2004 03:07:17 AM, Axel Thimm wrote: > > Or let me rephrase the problem, why do some people insist that > > replacing packages is bad? The replacements are obviously done for > > some reason, and not for reducing stability and security. > > It's bad for several reasons - > > 1) Bugzilla. > A user has a bug in a program, they report it to bugzilla, clueless to > the fact that their Fedora binary was replaced by my package and that > the bug may not be present in the Fedora binary. rpm -qi is your friend, and I have not seen one bug at bugzilla.redhat.com that was accidentially for a 3rd party repo (not that I exclude that there will be any, but this hasn't ever been articulated to be a problem). After all one of the first entries you have to make is the version-release of the package. > 2) Security > Fedora does sometimes patch packages for security. > Say Fedora puts a security patch in balsa-2.2.4 but the user is running > my balsa-2.2.5 package - which also has the vulnerability, but I am not > aware of it or the patch. That's not confined to packages replacing core packages. If your package has a security flaw, be it a replacement or not, you need to fix it, otherwise you leave open holes on your users' systems. In fact the situation is worse with non-replaced packages, as for replacements there is a good chance that the updated core packages will close your security hole (and a lot of replaced packages have a versioning scheme to automatically fallback to the security updated vendor package, e.g. see the ATrpms' kernels). > Fedora releases a new balsa 2.2.4 package fixing the security issue, > but the user doesn't get the update because they have balsa 2.2.5 > > 3) Newer isn't always better. That's hardly a focus for the patches/updates/replacements. "Newer is better" is rawhide's job. The largest part of the updates are due to other packages requiring it. > Maybe libfoobar.so.3.3 provides something that a fooripper needs that > libfoobar.so.3.2 doesn't provide, but at the same breaks some things > that I did not test for when packaging the newer libfoobar. -- Axel.Thimm at ATrpms.net
Attachment:
pgpDekq9Sw3aB.pgp
Description: PGP signature
