I have been looking at the security advisories provided here:
http://lists.centos.org/pipermail/centos-announce/
It appears that there is not a 1:1 correlation between advisories listed here and advisories listed by Red Hat:
Is there a specific reason for this? Also, is there an alternate location to find all Errata information for CentOS?
Joshua Bahnsen
Joshua Bahnsen wrote:
I have been looking at the security advisories provided here:
http://lists.centos.org/pipermail/centos-announce/
It appears that there is not a 1:1 correlation between advisories listed here and advisories listed by Red Hat:
Is there a specific reason for this?
Can you expand on that? CentOS does not announce RHBAs (Bugfix updates) for at least CentOS 4.
Ralph
That's really my question. Is there any particular reason why not all Red Hat advisories (RHEA, RHBA and RHSA) have a CentOS counterpart? Is this due to time constraints, demand, or some other legal reason?
Joshua Bahnsen, Software Developer O : 480.663.8787 | joshua.bahnsen@lumension.com Lumension | 15880 N. Greenway-Hayden Loop Suite 100 | Scottsdale, AZ 85260
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Ralph Angenendt Sent: Tuesday, June 16, 2009 2:28 AM To: centos@centos.org Subject: Re: [CentOS] CentOS security advisories
Joshua Bahnsen wrote:
I have been looking at the security advisories provided here:
http://lists.centos.org/pipermail/centos-announce/
It appears that there is not a 1:1 correlation between advisories listed here and advisories listed by Red Hat:
Is there a specific reason for this?
Can you expand on that? CentOS does not announce RHBAs (Bugfix updates) for at least CentOS 4.
Ralph
Joshua Bahnsen wrote:
That's really my question. Is there any particular reason why not all Red Hat advisories (RHEA, RHBA and RHSA) have a CentOS counterpart? Is this due to time constraints, demand, or some other legal reason?
Ah.
"Historical Reasons", probably. All RHSAs should be there, RHBAs just haven't been announced for 4 - there's no other appalling reason I could think of at the moment :)
I'm not sure about RHEAs, though.
Ralph
On 06/17/2009 09:56 AM, Ralph Angenendt wrote:
"Historical Reasons", probably. All RHSAs should be there, RHBAs just haven't been announced for 4 - there's no other appalling reason I could think of at the moment :)
with the new process's going in - that should change.
I'm not sure about RHEAs, though.
We have done most for C5, not all for C4.
The tricky situation is also for the updates when a new iso set is released, eg 5.2 -> 5.3, upstream tend to publish a report for each package that is out there, we havent done that 'traditionally'. Given time and resources, I am sure we can revisit that, if anyone is really interested.
- KB
The tricky situation is also for the updates when a new iso set is released, eg 5.2 -> 5.3, upstream tend to publish a report for each package that is out there, we havent done that 'traditionally'. Given time and resources, I am sure we can revisit that, if anyone is really interested.
- KB
I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin?
Joshua Bahnsen wrote:
I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin?
yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's - and I have zero interest in trawling through bugzilla and typing all these things out. If you want to propose a process to make this happen, I am all ears ( and eyes ).
What exactly do you mean by "breaching the rhn aup's"?
Joshua Bahnsen
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Karanbir Singh Sent: Wednesday, June 17, 2009 3:59 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories
Joshua Bahnsen wrote:
I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin?
yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's - and I have zero interest in trawling through bugzilla and typing all these things out. If you want to propose a process to make this happen, I am all ears ( and eyes ).
What I mean is, is there a specific Red Hat web page that defines what is acceptable and what is not?
Joshua Bahnsen
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Joshua Bahnsen Sent: Wednesday, June 17, 2009 4:14 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories
What exactly do you mean by "breaching the rhn aup's"?
Joshua Bahnsen
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Karanbir Singh Sent: Wednesday, June 17, 2009 3:59 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories
Joshua Bahnsen wrote:
I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin?
yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's - and I have zero interest in trawling through bugzilla and typing all these things out. If you want to propose a process to make this happen, I am all ears ( and eyes ).
I assume you mean this?
http://www.redhat.com/legal/legal_statement.html
Sorry the for spam...
Joshua Bahnsen
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Joshua Bahnsen Sent: Wednesday, June 17, 2009 4:15 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories
What I mean is, is there a specific Red Hat web page that defines what is acceptable and what is not?
Joshua Bahnsen
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Joshua Bahnsen Sent: Wednesday, June 17, 2009 4:14 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories
What exactly do you mean by "breaching the rhn aup's"?
Joshua Bahnsen
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Karanbir Singh Sent: Wednesday, June 17, 2009 3:59 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories
Joshua Bahnsen wrote:
I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin?
yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's - and I have zero interest in trawling through bugzilla and typing all these things out. If you want to propose a process to make this happen, I am all ears ( and eyes ).
On Wed, 17 Jun 2009, Joshua Bahnsen wrote:
I assume you mean this? http://www.redhat.com/legal/legal_statement.html
That is an assumption you make, all right --- that page does not state it is exhaustive, however ...
What I mean is, is there a specific Red Hat web page that defines what is acceptable and what is not?
Feel free to ask them, just not on this list
What exactly do you mean by "breaching the rhn aup's"?
Red Hat's outside counsel has made a statement asserting (in part) CentOS project misbehavior by so-called 'deep linking' as follows:
Moreover, our client does not allow others [in a letter directed to asserted improper CentOS project behavior] to provide links to our client's web site without permission.
earlier: K B Singh wrote: yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's
I realize you [Joshua Bahnsen] feel a need to top post for some reason, but it simply means that context threading is broken.
Red Hat's counsel threatened litigation against the project if it did not address various alleged issues:
... we trust that this issue can be resolved promptly and amicably and appreciate your attention to this matter. We look forward to your reply and request a response no later than February 4, 2005
Why would the project go again near a sharp edge that Red Hat has chosen to take offense at? Who shall insure and indemnify the project and its members against the costs of defense, let alone any damages award?
Please note that I do not need a reply on that question, as it is clearly a rhetorical question.
-- Russ herrold
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of R P Herrold Sent: Wednesday, June 17, 2009 5:37 PM To: CentOS mailing list Subject: [CentOS] CentOS security advisories
On Wed, 17 Jun 2009, Joshua Bahnsen wrote:
I assume you mean this? http://www.redhat.com/legal/legal_statement.html
That is an assumption you make, all right --- that page does not state it is exhaustive, however ...
What I mean is, is there a specific Red Hat web page that defines what is acceptable and what is not?
Feel free to ask them, just not on this list
What exactly do you mean by "breaching the rhn aup's"?
Red Hat's outside counsel has made a statement asserting (in part) CentOS project misbehavior by so-called 'deep linking' as follows:
Moreover, our client does not allow others [in a letter directed to asserted improper CentOS project behavior] to provide links to our client's web site without permission.
earlier: K B Singh wrote: yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's
I realize you [Joshua Bahnsen] feel a need to top post for some reason, but it simply means that context threading is broken.
Red Hat's counsel threatened litigation against the project if it did not address various alleged issues:
... we trust that this issue can be resolved promptly and amicably and appreciate your attention to this matter. We look forward to your reply and request a response no later than February 4, 2005
Why would the project go again near a sharp edge that Red Hat has chosen to take offense at? Who shall insure and indemnify the project and its members against the costs of defense, let alone any damages award?
Please note that I do not need a reply on that question, as it is clearly a rhetorical question.
-- Russ herrold _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[Joshua Bahnsen]
I don't want to cause any trouble here, but what does this have to do with generating advisory information that is provided by the vendor? Are there legal questions around clicking around the publicly available advisory data and generating XML based on that information? Obviously CentOS is generating *SOME* of the data provided by the vendor but not all. I'm merely trying to figure out:
1. Why there is a discrepancy (legal?, time?, need?, etc.) 2. If there is an alternate location to find this advisory information for CentOS 3. If anyone has tried to combine this data into a format consumable by yum-security 4. If using the advisory data provided on the vendor website and changing the title is a valid approach to generate advisory data in which the rpms are named the same
I believe this feature (patching based on advisories) would be advantageous to end users.
On Wed, 17 Jun 2009, Joshua Bahnsen wrote:
I don't want to cause any trouble here, but what does this have to do with generating advisory information that is provided by the vendor?
... if you won't acknowledge the landmines, you get blown up, eventually, I hear
I believe this feature [insert desired pony here] would be advantageous to end users.
Please feel free to code an implementation of any proposed process to yield what you deem a desireable feature enhancement for the CentOS project, and run in in demonstration for review. Assuming it is FOSS licensed, we'll look. The documents group already does this as to wiki content creation.
TANSTAAFL for any material coding effort.
-- Russ herrold
Is there an alternate location (other than the mailing list archive) where a list of the advisories can be found?
Joshua Bahnsen
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Karanbir Singh Sent: Wednesday, June 17, 2009 2:52 AM To: centos@centos.org Subject: Re: [CentOS] CentOS security advisories
On 06/17/2009 09:56 AM, Ralph Angenendt wrote:
"Historical Reasons", probably. All RHSAs should be there, RHBAs just haven't been announced for 4 - there's no other appalling reason I could think of at the moment :)
with the new process's going in - that should change.
I'm not sure about RHEAs, though.
We have done most for C5, not all for C4.
The tricky situation is also for the updates when a new iso set is released, eg 5.2 -> 5.3, upstream tend to publish a report for each package that is out there, we havent done that 'traditionally'. Given time and resources, I am sure we can revisit that, if anyone is really interested.
- KB _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Joshua Bahnsen -
Karanbir Singh -
R P Herrold -
Ralph Angenendt