Arthur Pemberton wrote:
Well it would be nice if you diccuss one topic at a time, fedora
updates is one matter, and SELinux history is another.
You can't separate them unless you can describe the process someone
would use to get one without the other. It's a package deal.
Your argument seems to be to remove, my argument is disable/don't
enable if you don't like it. And if that's not your argument, you're
arguing alongside those are calling for it's removal. The better thing
would be to use your skills to find any and all left over bugs as the
technology expands.
Disabling works for me, but in my opinion it would have been better to
have it as a separate installable package not included by default.
I have personally had multiple instances of devices that were not
supported in new versions, devices that changed names, breaking the
configurations, updates that installed kernels that would not boot
previously working systems, and the list is full of similar problems in
addition to the ones mentioning SELinux.
That's two different issues. The former is regression issues - most of
which aren't probably even directly the fault of Fedora.
Fedora may not have written the code that broke things, but they didn't
have to ship it.
But assume your payroll system is running on
something that fails to boot or can't access it's data after you do an
update that is required for some security issue. Now what?
Now you get fired for using a fast pace, mostly bleeding edge distro
in your fiscally important production environment.
Is that made clear in all places where fedora is distributed?
Perhaps, but if you want to deliver a product that does not have a
usable way to fix subsequently discovered security flaws after a sort
time then it should have an actual expiration date and self-destruct
instead of being left as easy prey for exploits that turn them into
zombie spam relays or worse.
You know that's not really possible. People still run Windows 95,
Fedora is the last place to look for expiring distros.
I doubt if there is a windows95 box still running in a position to be
compromised that hasn't already been.
I, and probably most of the list members
here, understand the experimental nature of fedora and that it simply is
not suitable for anything that needs to be reliable over long periods of
time.
I'm confused, your arguments were all based otherwise.
My understanding comes from experience that is not reflected in fedora
PR material. I'd like a little more truth in advertising for new users.
However, I don't think everyone who has installed fedora
understands that or the dangers of continuing to run any software beyond
the time it is supported with security updates.
I don't know what anyone can do about that? Make people agree to an
EULA that says they must upgrade every cycle?
Backport update patches or force it to shut down. Otherwise it is a
public danger.
It
makes sense just because of the difficulty of keeping the installation
up to date over the life of a machine.
It's not difficult. It's inconvenient for _some_ - not sure what percentage.
Let's qualify that 'not difficult' statement. How much would you charge
to do this for me over the next 5 years?
Fedora isn't the only disto in
this shape but it is probably one of the most popular with one of the
most difficult upgrade paths.
Again, you're talking about Fedora upgrade paths in a thread about
SELinux. We can't have a constructive discussion if you want to argue
two different issues at the same time.
Security isn't a single thing so it doesn't make sense to discuss on
piece out of context. I'm arguing that updates are your first line of
defense and anything that makes your updates slower or less likely hurts
more than SELinux can help.
I wouldn't be surprised if there are
still large numbers of FC1 through FC5 installations in use
A majority of those would be lazy/cheap/lying hosting companies who
just throw Fedora on machines and then don't update them
I'd guess more normal end users, but in the hosting company case, how
much will break if they update? Would you trust a version upgrade on a
fedora box with customers arbitrary applications?
because the
currently supported versions don't ensure (or even suggest) backwards
compatibility, in place upgrades, or even a convenient way to back out
to your previous version if you try an upgrade and find that it doesnt'
work with your hardware or applications.
That's all true. But again, has little to do with the topic at hand.
If the topic at hand is security, it has everything to do with it.
It isn't a technically trivial problem to get fast paced moving
software to revert to any previous state, far less to do that
reliably. If you're interesting a SIG to solve this problem, I don't
think you will get any resistance. However, for a lot of the people
doing the actual work, they don't seem to consider this a high
priority problem, I myself don't.
I agree that this is probably hopeless for Linux because it isn't a
priority. Solaris has always gone to extremes about maintaining
backwards compatibility and not breaking working applications so maybe
the new distros like nexenta that use the opensolaris kernel will
continue this history.
--
Les Mikesell
lesmikesell@xxxxxxxxx