Hi Frank, Does this mean that SuSE does NOT provide security updates to releases other than the current one??? This means that the day you release a new release the previous release is left swinging in the wind... Eric
You wrote:
In you patches /updates for SuSE 6.1 you have updates for pine and Samba that are strongly recommended.
We have SuSE6.0, do these vulnerabilities exist in 6.0?
If they do, where can we get the updates for 6.1?
It could be that exist the same vulnerabilities in 6.0. The Problem is:
6.0 had the kernel 2.0.36, 6.1 has the kernel 2.2.7. These kernels are so different, that you couldn't use the update patches. Please download the original packages and compilie your self programs.
--
regards,
Your SuSE Support-Team Frank Lemser (support@suse.de)
------------------------------------------------------------ SuSE GmbH, Tel: +49-911-7405330 Mo/Do 13-18.00 Schanzaeckerstr. 10, Fax: +49-911-3206727 90443 Nuernberg, Email: support@suse.de Germany WWW: http://www.suse.de/Support/sdb ------------------------------------------------------------
On Fri, Aug 06, 1999 at 01:18:55PM +0100, Eric Mosley wrote:
Hi Frank,
Does this mean that SuSE does NOT provide security updates to releases other than the current one???
This means that the day you release a new release the previous release is left swinging in the wind...
I think this is an important point. As the Linux industry grows, people's expectations are going to continue to go up. Companies putting servers into production will expect patches for the installed version to be available for several *years* at least. This is a pain, of course, but it's a service customers will insist on. Look at Sun, for example, they still release SunOS patches any time a security hole or major bug is found. I bet they wish they could just bury it 6 feet under and forget about it, but that would cause them to lose customers. With Linux, you have an even more competitive environment, as a pissed-off customer doesn't have to abandon their OS (and apps, and development work, etc.) Instead they can just switch to another distribution. So, here's hoping SuSE continues to lead the pack! Chris
hi ya, i, actually, do not understand what your problem is. If a security hole is found in any program running on a linux system (presuming it is covered by the gpl) a fix will be released by the responsible author after a short period of time. i don't think suse needs to mirror all these sites ... which would leave them no time to put together a new release which, in fact, is mainly an update of packages. and since suse offers their distributions online (though i don't know how complete those archives are) one could just obtain the appropriate package from the curent distribution. i agree with you that a patch needs to be provided by suse if a security hole is found in any part that is not in any standard release of a package or in any proprietary extension by suse. in that case they need to offer a patch for _all_ version of suse linux _ever_ released. but the upgrading of linux in case of a security hole is not on the distributors side. that is what makes linux so flexible ... you just install an upgraded version from the author's site. if that mean recompiling this package ... alright ... that is what you decided on when you chose linux as your operating system ! cu nic. "Chris L. Mason" wrote:
On Fri, Aug 06, 1999 at 01:18:55PM +0100, Eric Mosley wrote:
Hi Frank,
Does this mean that SuSE does NOT provide security updates to releases other than the current one???
This means that the day you release a new release the previous release is left swinging in the wind...
I think this is an important point. As the Linux industry grows, people's expectations are going to continue to go up. Companies putting servers into production will expect patches for the installed version to be available for several *years* at least.
This is a pain, of course, but it's a service customers will insist on. Look at Sun, for example, they still release SunOS patches any time a security hole or major bug is found. I bet they wish they could just bury it 6 feet under and forget about it, but that would cause them to lose customers.
With Linux, you have an even more competitive environment, as a pissed-off customer doesn't have to abandon their OS (and apps, and development work, etc.) Instead they can just switch to another distribution.
So, here's hoping SuSE continues to lead the pack!
Chris
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Du suchst Hilfe zum Thema Linux ? http://www.schnism.net/linux/
On Sat, Aug 07, 1999 at 10:32:59AM +0200, Nicholas Dille wrote:
hi ya,
i, actually, do not understand what your problem is. If a security hole is found in any program running on a linux system (presuming it is covered by the gpl) a fix will be released by the responsible author after a short period of time. i don't think suse needs to mirror all these sites ... which would leave them no time to put together a new release which, in fact, is mainly an update of packages. and since suse offers their distributions online (though i don't know how complete those archives are) one could just obtain the appropriate package from the curent distribution.
[...] Hi, You're absolutely right, and this is how I update my own systems. If there is a big problem, I won't wait for a package from SuSE, I'll just uninstall the rpm, download the latest source, compile and install. You're also right that providing the types of "patches" I mentioned are just package updates. The whole point is this type of thing is *expected* by many corporations. Then don't want to have to download a tarball to 200 different boxes and do it manually. By providing their own packages, SuSE, supposedly, does a bunch of testing to ensure functionality and compatibility with the rest of the set of software in a given distribution version. As you may know, current Red Hat rpms don't work with SuSE in many cases, as an example. Also, this is basically all Sun is doing too. Sun uses their own "pkg" format which is very similar in concept to rpm. The concept of dependencies and installation/deinstallation are the same. They probably have multiple source trees with only very small variations between them for all the different versions (not to mention x86 as well!) At least SuSE doesn't have to actually write most of the code, they only have to test and integrate it (which is still a lot of work, as you point out.) Let me be clear in that I am not suggesting how SuSE should or shoult not do things, or how these things in generally should be handled. What I was trying to say is that people will want these kinds of guarantees, and the Linux market being what it is, *some* distributions will start providing this type of service. This will no doubt force SuSE and others to do it as well in order to remain competitive. I would humbly suggest, that if this is the case, it is better to lead than to follow. Chris
On Sat, 7 Aug 1999, Nicholas Dille wrote:
and since suse offers their distributions online (though i don't know how complete those archives are) one could just obtain the appropriate package from the curent distribution.
AFAIK, the archives are complete, except some "commercial" packages (the "pay" series) which they aren't allowed to distribute on the net (e. G. the unlimited OSS version). Obtaining binary packages and installing them in an older SuSE version could lead to unexpected problems, E. g.: - The new pakage needs a new rpm-version - The software is linked against newer versions of libs etc. - Yast / SuSEConfig format could have changed - The path could have changed - The package could depend on another package which you also have to update (See also: recursiveness :-) -- \ markus schaber -- http://www.schabi.de/ -- ICQ# 22042130 / ---------------------------------------------------------- \ Warum umständlich, es geht doch auch kompliziert! / \ (Eva Maria Schaber) --------------------------------
participants (4)
-
Chris L. Mason -
Eric Mosley -
Markus Schaber -
Nicholas Dille