Why does Patrick ignore Java updates?
in [Slackware]
|
Prev: Slackware 12.2 audio
Next: Kernel.org
From: Manuel Reimer on 8 Apr 2010 08:51 Glyn Millington wrote: > Not trying to drive anyone away from Slackware, but would Arch Linux > tick your boxes? > http://wiki.archlinux.org/index.php/Main_Page Yes, this is interesting, but there are two small things, I'm still unsure about: - Packages aren't signed - Who creates the packages? The first seems to be currently in the works. I'll definetly wait until they have siged packages, before I set up a first box and try to make it auto-update from the internet. To answer the second one, I'll have to find the answer in their documentation or ask somewhere. It's important that only a few trusted people are able to publish packages and not anyone who is able to use a web upload form. CU Manuel
From: Manuel Reimer on 8 Apr 2010 09:04 Franz Sauerzopf wrote: > From Changelog current: > l/jre-6u19-x86_64-1.txz: Upgraded. > � � � �Upgraded to Java(TM) 2 Platform Standard Edition Runtime Environment > � � � �Version 6.0 update 19. Nice to see this in Slackware current, but my machines run on different Slackware stable releases, so my auto update process won't find this file. In fact the only real disadvantage, I see in Slackware, is this ugly patch management. Patrick prefers to patch as less as possible. I would prefer to patch as soon as possible, means as soon as the bug is fixed upstream. Patrick seems to ask "is there already an exploit that could be abused?" I ask "may it theoretically possible to write an exploit to abuse this hole?" CU Manuel
From: Aaron W. Hsu on 8 Apr 2010 13:47 Manuel Reimer <mreimer(a)expires-30-04-2010.news-group.org> writes: >And I don't just have *one* Slackware PC. I've written a perl script to >auto-update all the PCs with official patches, so they keep "secure" >automatically. >As I don't want to manually update Java on all those PCs it was easier >to just uninstall Java. I don't have an important usecase for Java. If you want to update Java outside of the stable packages provided, and you want to also distribute package updates to your machines automatically, the solution is to maintain your own mirror of the slackware packages. Then you can insert your updated packages as you see fit, and these updates will trickle down to each of your machines. This is fairly easily in Slackware using slackpkg and rsync. Aaron W. Hsu -- A professor is one who talks in someone else's sleep.
From: Henrik Carlqvist on 8 Apr 2010 17:35
Manuel Reimer <mreimer(a)expires-30-04-2010.news-group.org> wrote: > Patrick prefers to patch as less as possible. > I would prefer to patch as soon as possible, means as soon as the bug is > fixed upstream. I have been using Slackware for about 15 years. During these years I have so far to my knowledge never been the victim of any used security hole on those boxes. However, all my Slackware machines live rather secure behind firewalls and also have users which should be considered trustworthy. During these years on a few occasions the installation of official security patches has caused some kind of lost functionality or brokenness. In most of these cases I have reverted the patch as the fixed security flaw was not as severe as the broken or lost functionality. So from my point of view I don't think that Patrick needs to be any quicker to release patch packages as soon as any upstream source claims that an update will fix something. Someone has to make a judgement on every case weigthing pros vs cons on upgrading the software and I think that Patrick does a rather good job on this. regards Henrik -- The address in the header is only to prevent spam. My real address is: hc3(at)poolhem.se Examples of addresses which go to spammers: root(a)localhost postmaster(a)localhost |