SuSE like to do their own code audit of packages before they are added to the distribution. This includes audits of new code additions to existing packages. This is a "very good thing" (tm) for _your_ security, and has saved SuSE from
[---] I don't think that SuSE has done a code _audit_ on any of the packages they ship (Roman, correct me if I'm wrong). They just do integration tests (and even those are not always as thorough (sp?) as they should be, remember the OpenSSH "debacle" last time).
You are right: Thomas Biege, Sebastian Krahmer, Marc Heuse, Kurt Garloff and myself among many package maintainers wade through the code of packages, searching piles of spaghetti for bugs. This is done with packages that are of major concert wrt security, like network daemons or suid programs, sometimes other stuff like scripts and configs, too. But that also means that not _all_ of the programs are being investigated. The testing stuff needs improvement, yes. And please don't mention openssh again. :-/
My argument is supported by the lack of an audit for the kernel, which has to go a long way, yet there are SuSE packages for it. Use OpenBSD if you want a really audited operating system (save all those server programs you'd need)
And concerning the number of security holes, I don't think SuSE is really better than, say Debian. They are quite active in fixing the holes nowadays thanks to a really good security department.
Not my job to comment this.
I don't think there is really added benefit in releasing updated packages for the above mentioned packages. They will get folded into the next version of SuSE Linux (7.1?), that's it.
Not wrong, but it doesn't quite hit it. Yes, we want to sell SuSE Linux boxes, but the amount of packages doesn't permit posting update packages for new features. We support security-updates, yes, and, frankly, as a former system administrator of 60+ boxes, Linux + Solaris, most of them servers, I'd rather not install an update package if it isn't security related. I wait until the next release gets published and do all the cleanup in one strike.
Greetings olli
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -