openssl issue
Daniel Roesen
dr at cluenet.de
Thu Mar 18 15:04:17 UTC 2004
On Thu, Mar 18, 2004 at 02:35:41PM +0000, Joe Orton wrote:
> The problem is really that there is no QA team for Fedora which can test
> embargoed security fixes.
The stuff *is* already being tested for RH9, and I seriously
doubt that a RH9 QA'ed OpenSSL package behaves any different on
FC1 - given that both have the almost exact same OpenSSL predecessor
package.
The only changes between 0.9.7a-20 (RH9 predecessor) and 0.9.7a-23
(current FC1) are:
- add a_mbstr.c fix for 64-bit platforms from CVS
- add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get
tagged as not needing executable stacks
- remove exclusivearch
I doubt that pulling in the changes in the RH9 update:
- pull in fix for libssl link line (Tim Waugh, #111154)
- add security fixes for CAN-2004-0079, CAN-2004-0112
- updated ca-bundle.crt: removed expired GeoTrust roots, added
freessl.com root, removed trustcenter.de Class 0 root
do invalidate any QA already done.
I may be wrong... feel free to clue me in. :-)
> (Unless you want us to do everything
> privately inside Red Hat again, which defeats the point of the project).
Well, Fedora is still a RH-only show. For me, Fedora changes the
following things in comparision to RH9 and earlier:
- higher update pace (good)
- lesser resistance to break stuff to skip hurdles (good)
[introduction of new stuff, which needs to break backwards compat]
- extremely delayed security updates (showstopper)
Over the years, using Linux became more and more of a tool to do
a job (I'm speaking of private use here) - not a self-serving
playground. As such, I nowadays use vendor kernels because they are
mature enough and have all I need. I simply don't have the time
anymore for all this detail fiddling around. This worked nicely for
the RH7/RH9 eara. But beginning with FC1, I now have to invest
significant time just to get security updates for my private systems
in place, in order not to be an easy target for that blackhats.
I fully understand that this is all "free beer", so don't get me
wrong.
Best regards,
Daniel
More information about the fedora-list
mailing list