Upcoming transition of FC3

Tom Diehl tdiehl at rogueind.com
Sun Oct 23 14:29:45 UTC 2005


On Sat, 22 Oct 2005, Jim Popovitch wrote:

> Nils Breunese (Lemonbit Internet) wrote:
> > 
> > Why would anyone who has updates enabled not want legacy updates to be 
> > enabled?
> 
>  From my perspective, I want to know *who* the updates are coming from. 
>   In the case of Redhat updates, I know that there are ISO-9001 
> procedures and policies in place as well as corporate oversight and more 
> importantly corporate responsibility (from a legal point of view).  From 

But we are no longer talking about Red Hat or for that matter Red Hat Linux.
We are talking about Fedora. Yes, I know Fedora is sponsored by Red Hat but
they are not the same.

> FL you generally (if not universally) get good updates, however do you 
> really really know what was in that last ssh update that you got?  While 

Are you telling me you have never had a bad update from Red Hat? Unless
they were to do something on purpose I doubt you would ever get more
out of them than a fixed update, which is the same thing you would get from
FL.

> I am not so paranoid to automatically suspect everything I download, I 
> am paranoid enough to try and understand the origin of what I download.
> 
> So...
> 
>    1) what server should be used as the default update server
>       for out-of-the-box updates?
>    2) what policies, purview, scrutiny should that/those server
>       operators be put under and who will take responsibility
>       for enforcing this?
>    3) what legal disclaimers, and by what means, will alert
>       newbies that they are no longer getting official Redhat
>       updates?

They are not getting "official Redhat updates" now. There is no such thing.

If you are really thinking about all of the above and paying attention then the
change will have no impact on you. You will be on top of things and all is well.

What happens to the poor guy who was not paying attention when the FC EOL
occured? That same guy that thinks his system is still being updated daily.
A remote exploit for ssh gets released in the wild. Now his system is
compromised and as far as he is concerned FC is crap, because he has all
of the latest updates installed.

> Currently all three of the above issues are addressed individually by 
> users who manually configure their systems.  This action is so user 
> intensive (visit website, cut-copy-paste yum.conf, download and install 
> yum, etc) that it isolates FL from legal responsibility.  All FL has to 
> do to protect itself is not intentionally post malicious code or 
> instructions.

OK, so how do you help keep the noob that has just installed FC3 from having an
un-updated system on the net? Yum comes as a part of Fedora. The Fedora 
repos are enabled by default once you enable yum. I do not think it is 
unreasonable to push an update to yum with the FL repos enabled to help
protect some noob who just installed FC3 and has not figured out all of the
ins and outs of yum.

I agree that the policy needs to be well published but I think that enabling
the FL repos at FC EOL time is one way to help protect the noob from
him/herself. 

IMO most people who would be upset by enabling FL repos at FC EOL time are savvy
enough to turn off the FL repos. I do not think the opposite is necessarily true.

Regards,

Tom Diehl		tdiehl at rogueind.com		Spamtrap address mtd123 at rogueind.com




More information about the fedora-legacy-list mailing list