[CentOS-devel] CentOS-[56] Continous Release
Les Mikesell
lesmikesell at gmail.com
Tue Jun 21 15:41:48 UTC 2011
On 6/21/2011 10:09 AM, Karanbir Singh wrote:
> On 06/21/2011 04:06 PM, Les Mikesell wrote:
>>> a kernel that does not boot can kind of do that...
>>
>> But is that really worse than one that allows anyone to become root,
>> which might be the other choice? And if you can't take the chance or
>> think you are firewalled well enough that it doesn't matter, why update
>> at all?
>>
>
> I'm guessing you are just ranting here for the sake of ranting. Or do
> you really expect rpms to be pushed from build to public repos online
> without any testing at all ?
I'm pointing out that running for any length of time without fixing
known vulnerabilities is a very bad. Even if it is a local root
escalation - if you also have an exploit in a network app (like the
bazillion in php and its apps, struts, etc.) the two can be combined to
take over the machine and it is mostly a matter of time until it happens
(and yes, this is from experience...). And I thought last time around
you said these packages would go through the normal qa process before
even going into the option CR repo, so I'll repeat the question as to
why you think something is going to be wrong with them. I can see
wanting some reasonable number of machines to run them as a test, but
still don't understand why anyone would want to continue to run with
known problems instead of having them fixed.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS-devel
mailing list