--- Brad Bendily <__> wrote:
On Thu, 26 Aug 2004 suse@rio.vg wrote:
Quoting "b@rry.co.za" <b@rry.co.za>:
A mistake has happened, been recognised, and guaranteed will be
analysed to
try and prevent the same mistake from happening again.
Most kids fall off their bucycle at some point. They learn at that point that turning in the sand at high speed is a bad idea and don't do it again (unless the truck they are trying to avoid takes their eyes off the road for a moment).
So all in all, SuSE keep it up, everyone else, shut up, I am getting to see this thread as SPAM in my security mailbox and am sure that while I am only adding to the problem now, hopefully you will all grow up and spend more time fixing your problems than whining because someone else isn't.
Here here!
Perhaps you haven't had any problems at all, I don't know. But let's take an example that's been biting me: tripwire.
I almost made a comment, like the one i'm about to make, months ago but I decided to drop it and not create flames. But here's my opinion.
Suse doesn't make tripwire, they don't maintain tripwire, they don't do anything except add tripwire to their distro. They add, best guess, over 3000 different rpm packages to their distro. I don't find it terrible that each and every one of those aren't fully quality tested and that they don't work the first time. Sure, they shouldn't include it if they didn't test it, but really who is going to sit there and test each and every package. Is there anyone here who test each and every package distributed with Suse? I think not.
Well, it should be. Adding a particular package to a distribution is a lengthy process: First, somebody (call him/her some Guru at SuSE: "GURU") decides that package "A" is of interest, for whatever reason. Then somebody else (call this guy/gal the Cost Manager at SuSE: "CM") authorizes the inclusion of package "A" in the distribution, in order to enhance the commercial value of that particular distribution. Don't forget that the GOAL of SuSE, Novell, or whoever is there is to make money. No product manager ("PM") will EVER authorize the inclusion of a particular package "A" that REDUCES the commercial value of the distribution, because it will REDUCE his/her efficiency selling the product. Then a third person (let's say, "pC"), grabs the source, compiles it, packages it, and includes the package into the distribution tree. Now, at last, QA kicks in and should check that "pC" has done the job right, so "PM" will get good selling figures, so "CM" will be happy because the margins are high, so the "GURU" will open the Bonus Bag to "pC", "PM", "CM", "QA" and, most important, him/herself. So, for a company that wants to sell their distribution, is CAPITAL that QA, CM, PM and pC do their job well. So, If a package doesn't work in a COMMERCIAL distribution, is either fixed or replaced. If this means to talk with "A"'s mantainer, or to debug and fix the code and make sure the patches are added to the source, or to choose another package, or to choose not no include the functionality altoghether, that's not important. The important thing is that the Distribution AS A WHOLE provides enough confidence in the market to sell well, and the only thing that will provide that confidence is to know that the company behind the distribution does their homework.
So what, a package doesn't work, go get the source and compile/install it yourself. That's what Linux is all about, you don't have to use the proprietary vendors stuff ALL the time.
If the package doesn't work, compiling it yourself doesn't guarantee that it will work.
It doesn't really bother me that a package doesn't work, if I really want that package then I'll find other means to obtain it.
BB
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
regards, Riccardo