Re: [suse-security] Postfix & Squid Package updates
As I know the SuSE boys are usually pretty busy, I'm going to answer this on their behalf. SuSE like to do their own code audit of packages before they are added to the distribution. This includes audits of new code additions to existing packages. This is a "very good thing" (tm) for _your_ security, and has saved SuSE from hurriedly releasing patches to security holes. That is one of the reasons why SuSE, while it is the larges linux distro available, has a relatively low number of major security holes. Now, code audits are VERY time consuming, as they don't just have to find ONE hole, (like the crackers) but ALL possible holes. Due to the large number of people poking at holes in packages, and the recent climate of vendor notification before publication on BugTraq, it's quite possible/probable that the code auditors at SuSE are feverishly trying to fix a (privately) know hole in something, which obviously has a lower priority than adding (possibly) unneeded features to perfectly functional packages. So, the answer to you question is that SuSE _may_ release the updates to these packages, _if_ they think the new features are worthwhile AND secure. There are still some packages in SuSE 7.0 that are a version or two behind, due to the messy code in the newer updates, and because the newer features were considered unnecessary. IMHO this is the reason that you pay to buy SuSE. That is to get a tried/tested/audited distribution. If you have looked at the newer versions of the packages you want and decided that there is some new feature that you _simply can't live without_ then by all means compile it yourself. After all, that is the reason SuSE ship gcc, and make ;-) HTH -Nix At 11:02 AM 18/12/2000 +0200, you wrote:
Hi All
Will SuSE be releasing versions updates for Postfix and Squid.
The default versions released SuSE 6.4 is Postfix Version: 19991231pl05 and Squid Version: 2.3.STABLE2
Thanks in advance
Steven
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking
Hi. On Tue, 19 Dec 2000, Nix wrote:
As I know the SuSE boys are usually pretty busy, I'm going to answer this on their behalf.
SuSE like to do their own code audit of packages before they are added to the distribution. This includes audits of new code additions to existing packages. This is a "very good thing" (tm) for _your_ security, and has saved SuSE from hurriedly releasing patches to security holes. That is one of the reasons why SuSE, while it is the larges linux distro available, has a relatively low number of major security holes.
I don't think that SuSE has done a code _audit_ on any of the packages they ship (Roman, correct me if I'm wrong). They just do integration tests (and even those are not always as thorough (sp?) as they should be, remember the OpenSSH "debacle" last time). My argument is supported by the lack of an audit for the kernel, which has to go a long way, yet there are SuSE packages for it. Use OpenBSD if you want a really audited operating system (save all those server programs you'd need) And concerning the number of security holes, I don't think SuSE is really better than, say Debian. They are quite active in fixing the holes nowadays thanks to a really good security department.
Now, code audits are VERY time consuming, as they don't just have to find ONE hole, (like the crackers) but ALL possible holes. Due to the large number of people poking at holes in packages, and the recent climate of vendor notification before publication on BugTraq, it's quite possible/probable that the code auditors at SuSE are feverishly trying to fix a (privately) know hole in something, which obviously has a lower priority than adding (possibly) unneeded features to perfectly functional packages.
see above
So, the answer to you question is that SuSE _may_ release the updates to these packages, _if_ they think the new features are worthwhile AND secure. There are still some packages in SuSE 7.0 that are a version or two behind, due to the messy code in the newer updates, and because the newer features were considered unnecessary.
I don't think there is really added benefit in releasing updated packages for the above mentioned packages. They will get folded into the next version of SuSE Linux (7.1?), that's it.
IMHO this is the reason that you pay to buy SuSE. That is to get a tried/tested/audited distribution. If you have looked at the newer versions of the packages you want and decided that there is some new feature that you _simply can't live without_ then by all means compile it yourself. After all, that is the reason SuSE ship gcc, and make ;-)
That would also be my proposal: learn to make your own RPMs, build them, test them, install them.
HTH
-Nix
Greetings
olli
--
--------------------------------------
Oliver Hensel
FWIW, the official release version of Postfix is still Postfix Beta
19991231 Patchlevel 13. The newer versions are still classed by Wietse
Venema as "experimental". Although WV says they are production
quality, I doubt SuSE will ship a program still officially called
'experimental'. I run a recent "experimental" version without
difficulty, however. It compiles extremely quickly. I can't see what
problem you might have using it.
Corvin
--
Corvin Russell
FWIW, the official release version of Postfix is still Postfix Beta 19991231 Patchlevel 13. The newer versions are still classed by Wietse Venema as "experimental". Although WV says they are production quality, I doubt SuSE will ship a program still officially called 'experimental'. I run a recent "experimental" version without difficulty, however. It compiles extremely quickly. I can't see what problem you might have using it.
You obviously don't read the changelog entries for the experimental versions =) Lots of NASTY bugs have been squished (some fixes backported to 19991231 which is why we are at pl13). 19991231 makes an excellent Sendmail replacement, the snapshots support much more functionality but also come with issues. For perspective I use a snapshot on my main mail server but my secondary and another site run 19991231 (so if I blow my main one up on an upgrade or some bug pops out I'm not up the creek for 24 hours =). I wouldn't quite yet reccomend snapshots for production use yet unless you MUST have some functionality they provide that 19991231 doesn't (it's more an admin issue then technical). God I must be getting old, I'm advocating the use of "stable" software ;).
Corvin
-Kurt
On Mon, Dec 18, 2000 at 10:11:46PM -0700, Kurt Seifried wrote: In fact i only use it on my FreeBSD box, for whatever reason -- probably just 'cause it was there. However, at least the original questioner has an authoritative answer now as to why the latest Postfix is not included. It always seems to require such a circuitous route to get the answers. Thanks Kurt. C
FWIW, the official release version of Postfix is still Postfix Beta 19991231 Patchlevel 13. The newer versions are still classed by Wietse Venema as "experimental". Although WV says they are production quality, I doubt SuSE will ship a program still officially called 'experimental'. I run a recent "experimental" version without difficulty, however. It compiles extremely quickly. I can't see what problem you might have using it.
You obviously don't read the changelog entries for the experimental versions =) Lots of NASTY bugs have been squished (some fixes backported to 19991231 which is why we are at pl13). 19991231 makes an excellent Sendmail replacement, the snapshots support much more functionality but also come with issues. For perspective I use a snapshot on my main mail server but my secondary and another site run 19991231 (so if I blow my main one up on an upgrade or some bug pops out I'm not up the creek for 24 hours =). I wouldn't quite yet reccomend snapshots for production use yet unless you MUST have some functionality they provide that 19991231 doesn't (it's more an admin issue then technical). God I must be getting old, I'm advocating the use of "stable" software ;).
Corvin
-Kurt
--
Corvin Russell
SuSE like to do their own code audit of packages before they are added to the distribution. This includes audits of new code additions to existing packages. This is a "very good thing" (tm) for _your_ security, and has saved SuSE from
[---] I don't think that SuSE has done a code _audit_ on any of the packages they ship (Roman, correct me if I'm wrong). They just do integration tests (and even those are not always as thorough (sp?) as they should be, remember the OpenSSH "debacle" last time).
You are right: Thomas Biege, Sebastian Krahmer, Marc Heuse, Kurt Garloff and myself among many package maintainers wade through the code of packages, searching piles of spaghetti for bugs. This is done with packages that are of major concert wrt security, like network daemons or suid programs, sometimes other stuff like scripts and configs, too. But that also means that not _all_ of the programs are being investigated. The testing stuff needs improvement, yes. And please don't mention openssh again. :-/
My argument is supported by the lack of an audit for the kernel, which has to go a long way, yet there are SuSE packages for it. Use OpenBSD if you want a really audited operating system (save all those server programs you'd need)
And concerning the number of security holes, I don't think SuSE is really better than, say Debian. They are quite active in fixing the holes nowadays thanks to a really good security department.
Not my job to comment this.
I don't think there is really added benefit in releasing updated packages for the above mentioned packages. They will get folded into the next version of SuSE Linux (7.1?), that's it.
Not wrong, but it doesn't quite hit it. Yes, we want to sell SuSE Linux boxes, but the amount of packages doesn't permit posting update packages for new features. We support security-updates, yes, and, frankly, as a former system administrator of 60+ boxes, Linux + Solaris, most of them servers, I'd rather not install an update package if it isn't security related. I wait until the next release gets published and do all the cleanup in one strike.
Greetings olli
Thanks,
Roman.
--
- -
| Roman Drahtmüller
On 19 Dec 2000, at 10:38, Nix wrote:
compile it yourself. After all, that is the reason SuSE ship gcc, and make ;-)
Hi, there is a problem of consistence/documentation here. If you see a programms hompage that says "upgrade to version X, because previous releases had security problem Y" and SuSE ships version X -1, how do you know that SuSE has allready fixed Y in the version they ship? mike
participants (6)
-
Corvin Russell
-
Kurt Seifried
-
Nix
-
Oliver Hensel
-
Roman Drahtmueller
-
Thomas Michael Wanka