Hi, I don't like your tone, young man ;-) Seriously. Acting like this isn't helping anyone. If you're so dependant on Tripwire then install the 8.2 RPM with the force and nodeps flags or try compiling the source from tripwire.org. And if that doesn't work, then try another file integrity tool. There ARE alternatives to Tripwire, you know? AIDE is a good lead. In fact, I disagree with you on the MS SuSE comparison. It's totally the other way around. If SuSE acted like MS they would have just released the 8.2 RPM in the 9.0 branch and leave it that way since "it works". The fact that SuSE is actually investing time into a good solution is very important to me. In the meantime, the security minded admin is certainly capable to use something else than Tripwire. just my 0.02€ Tobias W. Am Mo, den 26.01.2004 schrieb suse@rio.vg um 16:43:

Quoting Thomas Biege :

...

On Sun, 25 Jan 2004, Stefano Bertotti wrote:

...

Dear Sir, we are near to SuSE 9.1 without official solutions for this problem in SuSE 9.0 ...

You have never explained the real nature of the problem.

Are You supporting the porting solutions from 8.2 proposed in this list ?

If the answer is "yes" can You publish the official patch on the onlineupdate servers, otherwise can You explain this incredible support delay...?

I think you want to write to security@suse.de .

Nevertheless, the bug appears due to an interaction with the binutils package. Our maintainer is working on an update (which isn't that easy).

Rather than have him 'working' on it and leaving the bulk of the SuSE community without the benefit of tripwire, why don't you take the copy of the tripwire rpm from 8.2 and copy it into the 9.0 branch so that people can actually USE it without having to manually go around the normal update system to get it.

It's all well and good to say it doesn't like our binutils or doesn't want to compile with gcc 3.x and to be "working" on it. However, that does the rest of us absolutely no good whatsoever.

You guys seem to be forgetting the first rule: It has to work. Having a program that actually works in FAR more important than binutil and compiler purity.

What's the point of a distribution if I have to work AROUND it to get things done? If I wanted to fight my operating system every step of the way, I'd run Windows. SuSE, of course, is far from that level. But the mentality behind how you guys are dealing with tripwire is just like Microsoft. You seem to care more about doing it your way than actually releasing something that works.

Hi, Am Mo, den 26.01.2004 schrieb suse@rio.vg um 21:03: ...

I took the 8.2 rpm and just installed it, no force or nodeps flags required. It works on every server I've installed it on.

Fine. So how long did that take you? 10 minutes?

Sure, it's great and all to have all everything compiled exactly the same and binutils happy and all that. That's a goal. However, 9.0 was released MONTHS ago. There is a certain point where you say "Use what works".

I understand your point. What I don't understand is this obvious "hostile" tone towards the SuSE people. Especially since there _is_ a workaround here. If there wasn't an easy way to run tripwire on SuSE 9.0 then I'd say: "Hey. You're right. Screw them." But that's simply not the case here.

They don't need to abandon figuring out why tripwire does work or fixing it. It will need to be done for the next release anyway. Taking your time BEFORE a release is a laudable goal. After release, it's time to get things WORKING.

Remember that Tripwire may be an essential tool for you and me but 99% of SuSE users certainly never heard of Tripwire. So shipping SuSE 9.0 without it is perfectly reasonable. After all, SuSE is a company bound by markets. If you can't live with the pressure companies face regarding release cycles then use Debian instead. In fact, I believe that's one of the main reasons why Debian stable is so popular.

In order to get tripwire to work, I have to manually install it. That's ANNOYING. The whole point of a distribution is so I don't have to install basic packages one by one. Tripwire is a basic requirement for any server.

See above. The "basic" installation comes without Tripwire. It is an extra, a bonus. It does not belong to the default installation. I totally agree with you that I wouldn't run any server without it, but hey, since when does an operating system has to come with everything you need? Certainly there is more than one software item that is missing in SuSE, that you have to get somewhere else and install yourself?

And, to be perfectly blunt, docilely sitting there and saying "Oh, well, I guess you can try aide or something..." is absolutely the wrong attitude to take. If suse doesn't think we care about tripwire, guess what? They probably won't either.

Well, SuSE certainly won't be motivated by "hate" mails, _demanding_ the immediate release of something.

Look back through the posts to suse-security, every time someone asks for advice on setting up a server, you'll see tripwire on the list of necessary items every time.

Maybe that's because this is "suse-security" and not "suse-linux"? People subscribing to this list have different needs and even more demanding attitudes. But that doesn't mean that they have to talk rude when there _is_ a perfectly good workaround to a problem that doesn't affect the default installation.

It's downright embarrassing that they still don't have a working package.

There is a working package. It's just not included in the 9.0 distribution by default. If you setup a server with a brand new distribution you have to take such risks. Nobody forced you to use 9.0. You could as well have used 8.2. In fact, before I use a new distribution for critical missions I usually wait a couple of weeks maybe even months and watch the security announcements and bugfix releases. When I decide that is has everything I need I buy it. Not a day before that. This strategy works perfectly with SuSE since they support their older distributions a long time. And THAT'S one of the main reason for SuSE ;-) I agree that this has to be fixed. But it really isn't an urgent matter.

I'm only harping on this becuase I care. If I didn't give a damn, I'd jump to Debian. SuSE has been good to me on every single other issue. I want SuSE to be even better. And putting the 8.2 tripwire package into the 9.0 tree as an update would make my life easier, and I doubt I'm the only sysadmin running 9.0 servers out there...

I really understand this. But I think you are playing this a little too hot here. Cool down. kind regards, Tobias W.

Am Montag, 26. Januar 2004 19:52 schrieb Tobias Weisserth:

I don't like your tone, young man ;-) Seriously. Acting like this isn't helping anyone.

well, normally I do not like this kind of conversation, but he raised a valid point: SuSE 9.0 came without a working nmap (does not work under root) nor with a working tripwire. (I dont want to mention other bugs which have been fix until now). And of course a user has the right to demand for working programs. Now you can say: install the RPM of 8.2, compile by your own, get the patched nmap.... I am doing that, but lots of more unskilled users (and I am NOT the super expert) does not have this chance. cu stonki P.S. If (!) M$ would act this way, we all would beat them to hell ..... -- www.stonki.de: the more I see, the more I know....... www.proftpd.de: Deutsche ProFTPD Dokumentation www.krename.net: Der Batch Renamer für KDE www.kbarcode.net: Die Barcode Solution für KDE

Tobias Weisserth wrote:

Hi,

I don't like your tone, young man ;-)

Seriously. Acting like this isn't helping anyone.

If you're so dependant on Tripwire then install the 8.2 RPM with the force and nodeps flags or try compiling the source from tripwire.org.

And if that doesn't work, then try another file integrity tool. There ARE alternatives to Tripwire, you know?

AIDE is a good lead.

In fact, I disagree with you on the MS SuSE comparison. It's totally the other way around. If SuSE acted like MS they would have just released the 8.2 RPM in the 9.0 branch and leave it that way since "it works".

The fact that SuSE is actually investing time into a good solution is very important to me. In the meantime, the security minded admin is certainly capable to use something else than Tripwire.

just my 0.02€

Tobias W.

Maybe I'm missing something, but why did SUSE even include a broken product/rpm in to the production release in the first place? If the tripwire rpm didn't work, shouldn't it have been removed from the release and only made available once it worked? Just my $0.02. David