Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Is my package fixed? Or: How to look into RPMs
  • From: Donavan Pantke <avatar@xxxxxxx>
  • Date: Wed, 18 Sep 2002 14:29:35 -0400
  • Message-id: <200209181429.35656.avatar@xxxxxxx>
On Wednesday 18 September 2002 10:58, Peter Poeml wrote:
> Sometimes on this list folks express doubts whether a package contains a
> certain fix or not. Even if the security announcements say the packages
> are not vulnerable, they want to know for sure. Looking at the version
> number of the package is most likely not enough to be sure... but how
> then? How to look "into" the packages?
>
> I thought I'd write up a short howto and post it here.


I just wanted to post on-list a big thanks to you and the rest of the
security team for helping the paranoid folks of the world how to not trust
you. :) Honestly, that's a good thing, because people can verify for
themselves that something was done to fix the problem, and to the really
paranoid, look for the fix themselves. I sure know that you can get no FAQ or
similar from any closed dource company, where you're forced to trust them,
and your usually handed a new rev with other changes along with the security
fix. For the really security paranoid folks, there are methods of ensuring
that the fix was apllied, and possibly more importantly, ONLY that fix was
applied. Of course, for the slightly less paranoid, we just -Uvh the binary
and keep on going. However, it gives me a lot of piece of mind that I have
ultimate control on the security and safety of my system: if I don't trust
you, I can verify that you've done your job. Not that I'd ever have to, mind
you.

A big thanks to the SuSE security team!
Donavan Pantke

< Previous Next >