package stability
Axel Thimm
Axel.Thimm at ATrpms.net
Fri Mar 9 15:26:13 UTC 2007
On Fri, Mar 09, 2007 at 03:20:02PM +0100, Thorsten Leemhuis wrote:
> On 09.03.2007 10:06, Axel Thimm wrote:
> > [...] Removing them from the repo will still leave many
> > RHEL boxes vulnerable. Maybe the meta-package obsoleting/conflicting
> > with some packages which Thorsten suggested in Fedora-land in a
> > different context makes much more sense here?
>
> My idea was meant for dist updates (FC6->F7) only and crazy enough for
> that scenario already, as uninstalling packages behind the users back
> without asking them is not nice (tm). The idea for that reasons was
> rejected yesterday by FESCo. That fine for me as long as a proper
> solution for the problem at hand comes up (hopefully soon, but I doubt it).
>
> Back to EPEL: Removing packages behind the users back without asking
> them in a stable dist is just insane afaics. It might be a last resort
> in some very very rare cases, but that should be avoided at all costs.
> So no, that doesn't work.
I agree with fesco on rejecting the original setup: I'm not thinking
of the garbarge-collector-standard-installed-package, but of an
optional "epel-security-orphaned" package. The mechanism is similar
(although I would not obsolete/provide, but simply conflict), but the
semantics are different.
Users can chose to run their systems with their pants down or install
this package and be assured that at the very least if a security issue
is not fixed it is removed.
E.g.
# foo 1.2 has a remote explit and we cannot backport the fix, nor
# update this package
Conflicts: foo <= 1.2
The "epel-security-orphaned" would be just another optional installed
package. when you pull it in in cleanses any vulnerability by nuking
the unfixable packages. Users' choice of running a secury RHEL/EPEL
setup.
--
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/epel-devel-list/attachments/20070309/1b62d68a/attachment.sig>
More information about the epel-devel-list
mailing list