Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Online Update
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Tue, 29 Jan 2002 20:12:06 +0100 (MET)
  • Message-id: <Pine.LNX.4.44.0201291940450.514-100000@xxxxxxxxxxxx>
> At 10:33 AM 1/29/2002 +0100, you wrote:
> >Does/will Yast online update support HTTP (or at least http proxy)?
>
> yes, they added http support with one of the latest YOU updates, however
> you cant' choose it - it only ususes it when it wants to. SuSE doesn't
> have HTTPD running on any of their FTP servers either (wish they did)

We will likely run http servers at some time in the future. Currently, we
do not.

Most of the mirrors of the SuSE trees do not have http access as well. If
we are the only ones who provide packages via http (eg without the
majority of the mirrors), then our leased lines couldn't handle the load
any more.
We're talking global aspects here, not only some wishes. The local
resource problem is solveable, but the bandwidth problem is not. It needs
many many sold SuSE Linux packages to afford our connectivity.

So far for the server-side. The client-side (YOU) needs http support so
that proxies can be used in an easy fashion. As I said in an earlier mail,
we are working on it. It's not trivial in some respects.

> >As ftp is a weird protocol anyway, I don't think it should be used so
> >much, especially for important things like updates.
>
> They should use scp :-)

Nobody would argue that a protocol that opens secondary connections opens
up a lot of problems, many of which are security related (filtering). It's
all a matter of alternatives.

>
> > I have some servers
> >behind an MS Proxy Server and can't use online update, because yast
> >doesn't support any proxy, and socksify + bouncer on a machine with MS
> >Proxy client installed doesn't work, too (http/ssh works thoug).
> >And once again, why is YOU not half as cool as apt-get ??
>
> Because the people who are working on it don't seem to care enough. It's
> slowly getting better but I really don't understand why a little more
> effort isn't put into it, since it's a highly sought-after feature.

No comment to the clearly non-technical claims.

>
> Anyway, that's not the worst of YOU's problems - it uses it's own
> internal patch manager and never consults rpm. Due to this, a patch is
> always marked as "installed" unless you do some hacking. For instance
> the other day I fried my MySQL installation while testing and had to do
> an ftp reinstall from yast1. It installed the old original versions of
> MySQL & Co., and when I opened YOU the mysql updates that I _knew_ where
> there where not available to be selected.
> I had to hack some things to get YOU to wake up. This is very bad.

There is no such thing as an "internal patch manager". YOU sees a file
"openssh-3", has one called "openssh-2" and concludes that the "-3"
version is newer.

If you do everything as it wants to, then it will work.
In particular, a defective portiono of code in YOU requires an update of
YOU itself. If you do not approve to it, it won't see all the other
updates as well. It's so easy.

There used to be one problem with the naming of the openssh-2 patch
description: We manually ++'ed the number to -3 b/c the mechanism to do
this was a bit glitchy.


>
> Also if you download, say 5 updates (this actually happened to me) and
> during the install part rpm gives an error, say on the second package,
> the installation ceases (i.e. the remaining packages do _not_ get
> installed) yet YOU marks them as successfully installed anyway.

This is a bug (among a bunch of others) that needs to be fixed.

>
> This actually happened to me when I way trying up update at, netscape,
> openssh and w3m at the same time. The NS package was corrupt, and YOU
> just skipped over sshd and w3m without mentioning it. I only realized
> what was happening because YOU "finished" the installation too fast. If
> I had not been paying attention I would have _thought_ I'd upgraded sshd
> and would in fact have still been using the old version.

We have seen problems with corrupt packages on our mirrors lately, we
don't know how this can happen.

>
> This is very bad.
>
> I have submitted several bug reports to feedback@xxxxxxxx and
> bugs@xxxxxxx and not heard back from them. I have a serious mind to
> submit this to BugTraq in the hope of forcing SuSE to do something about
> it.

You have seen autogenerated mails from feedback@xxxxxxxx (and probably
from bugs@xxxxxxx as well). The mail clearly states that not everything
can be handled, and it might take some time until you get anything back
(if at all).
You also seem to be aware of security announcements, are you? At least,
you are reading this list. But then, you should be aware of the primary
security contact of SuSE: <security@xxxxxxx>. You will get answers usually
in less than 24 hours if you write to this list. This issue is clearly
security related, and it needs an urgent fix. It's just that we don't know
of it.

As a SuSE employee responsible for the security field, I am not in the
position to rant at customers, and I don't want to do this here either.
So please take this as a suggestion: What happens here is a communication
problem. The information is valuable, but that is not everything that
matters. Valuable information can be stored on some diskette in my mom's
old computer, and it doesn't change anything in this world. What also
counts are:

1) time
2) origin
3) destination
4) medium
5) mode (language-wise) and language
6) the history of the information
7) related information

The thing with 3) and maybe 5) can be improved on your side in this case.

Now we will go ahead and see if we can fix this as soon as possible and
provide the update package/patch as people expect it. Then we can be happy
again.

>
> I've never done anything like that before - do you think I should? It's
> really quite important and SuSE _need_ to fix it. I'm not sure if it's
> serious enough for BugTraq though.

For sure it's serious enough for security@xxxxxxxx
Thanks for the effort of writing to this list, at least.

Roman.


< Previous Next >
References