On Wednesday 18 September 2002 10:58, Peter Poeml wrote:
Sometimes on this list folks express doubts whether a package contains a certain fix or not. Even if the security announcements say the packages are not vulnerable, they want to know for sure. Looking at the version number of the package is most likely not enough to be sure... but how then? How to look "into" the packages?
I thought I'd write up a short howto and post it here.
I just wanted to post on-list a big thanks to you and the rest of the security team for helping the paranoid folks of the world how to not trust you. :) Honestly, that's a good thing, because people can verify for themselves that something was done to fix the problem, and to the really paranoid, look for the fix themselves. I sure know that you can get no FAQ or similar from any closed dource company, where you're forced to trust them, and your usually handed a new rev with other changes along with the security fix. For the really security paranoid folks, there are methods of ensuring that the fix was apllied, and possibly more importantly, ONLY that fix was applied. Of course, for the slightly less paranoid, we just -Uvh the binary and keep on going. However, it gives me a lot of piece of mind that I have ultimate control on the security and safety of my system: if I don't trust you, I can verify that you've done your job. Not that I'd ever have to, mind you. A big thanks to the SuSE security team! Donavan Pantke