At 10:33 AM 1/29/2002 +0100, you wrote:
Does/will Yast online update support HTTP (or at least http proxy)?
yes, they added http support with one of the latest YOU updates, however you cant' choose it - it only ususes it when it wants to. SuSE doesn't have HTTPD running on any of their FTP servers either (wish they did)
We will likely run http servers at some time in the future. Currently, we do not. Most of the mirrors of the SuSE trees do not have http access as well. If we are the only ones who provide packages via http (eg without the majority of the mirrors), then our leased lines couldn't handle the load any more. We're talking global aspects here, not only some wishes. The local resource problem is solveable, but the bandwidth problem is not. It needs many many sold SuSE Linux packages to afford our connectivity. So far for the server-side. The client-side (YOU) needs http support so that proxies can be used in an easy fashion. As I said in an earlier mail, we are working on it. It's not trivial in some respects.
As ftp is a weird protocol anyway, I don't think it should be used so much, especially for important things like updates.
They should use scp :-)
Nobody would argue that a protocol that opens secondary connections opens up a lot of problems, many of which are security related (filtering). It's all a matter of alternatives.
I have some servers behind an MS Proxy Server and can't use online update, because yast doesn't support any proxy, and socksify + bouncer on a machine with MS Proxy client installed doesn't work, too (http/ssh works thoug). And once again, why is YOU not half as cool as apt-get ??
Because the people who are working on it don't seem to care enough. It's slowly getting better but I really don't understand why a little more effort isn't put into it, since it's a highly sought-after feature.
No comment to the clearly non-technical claims.
Anyway, that's not the worst of YOU's problems - it uses it's own internal patch manager and never consults rpm. Due to this, a patch is always marked as "installed" unless you do some hacking. For instance the other day I fried my MySQL installation while testing and had to do an ftp reinstall from yast1. It installed the old original versions of MySQL & Co., and when I opened YOU the mysql updates that I _knew_ where there where not available to be selected. I had to hack some things to get YOU to wake up. This is very bad.
There is no such thing as an "internal patch manager". YOU sees a file "openssh-3", has one called "openssh-2" and concludes that the "-3" version is newer. If you do everything as it wants to, then it will work. In particular, a defective portiono of code in YOU requires an update of YOU itself. If you do not approve to it, it won't see all the other updates as well. It's so easy. There used to be one problem with the naming of the openssh-2 patch description: We manually ++'ed the number to -3 b/c the mechanism to do this was a bit glitchy.
Also if you download, say 5 updates (this actually happened to me) and during the install part rpm gives an error, say on the second package, the installation ceases (i.e. the remaining packages do _not_ get installed) yet YOU marks them as successfully installed anyway.
This is a bug (among a bunch of others) that needs to be fixed.
This actually happened to me when I way trying up update at, netscape, openssh and w3m at the same time. The NS package was corrupt, and YOU just skipped over sshd and w3m without mentioning it. I only realized what was happening because YOU "finished" the installation too fast. If I had not been paying attention I would have _thought_ I'd upgraded sshd and would in fact have still been using the old version.
We have seen problems with corrupt packages on our mirrors lately, we don't know how this can happen.
This is very bad.
I have submitted several bug reports to feedback@suse.com and bugs@suse.de and not heard back from them. I have a serious mind to submit this to BugTraq in the hope of forcing SuSE to do something about it.
You have seen autogenerated mails from feedback@suse.com (and probably
from bugs@suse.de as well). The mail clearly states that not everything
can be handled, and it might take some time until you get anything back
(if at all).
You also seem to be aware of security announcements, are you? At least,
you are reading this list. But then, you should be aware of the primary
security contact of SuSE:
I've never done anything like that before - do you think I should? It's really quite important and SuSE _need_ to fix it. I'm not sure if it's serious enough for BugTraq though.
For sure it's serious enough for security@suse.de. Thanks for the effort of writing to this list, at least. Roman.