[CentOS-devel] Re: openssh security update

Tue May 8 13:01:49 UTC 2007
Johnny Hughes <mailing-lists at hughesjr.com>

On Mon, 2007-05-07 at 15:34 -0700, Scott Silva wrote:
> Akemi Yagi spake the following on 5/7/2007 3:17 PM:
> > On 5/7/07, Johnny Hughes
> > <mailing-lists at hughesjr.com> wrote:
> >> On Mon, 2007-05-07 at 12:57 -0700, Akemi Yagi wrote:
> >> > CentOS developers,
> >> >
> >> > Could someone take a look at this?  It was posted on the CentOS Forum
> >> > by bdaniels. Apparently this security update came out on May 1, but
> >> > not all versions have been made available for CentOS.
> >> >
> >> > Akemi
> >> >
> >> > === Forum posting by bdaniels ===
> >> >
> >> > Well, the announce list has been posting them:
> >> >
> >> > [CentOS-announce] CESA-2007:0257 Low CentOS 4 s390(x) openssh -
> >> security update
> >> > 05/04/2007 06:44 PM
> >> >
> >> > CentOS Errata and Security Advisory 2007:0257
> >> >
> >> > https://rhn.redhat.com/errata/RHSA-2007-0257.html
> >> >
> >> >
> >> > But only for the s390 and ia64 architectures. The i386/ia32 ones are
> >> missing.
> >> > _______________________________________________
> >>
> >> That would be because they are part of the 4.5 respin ...
> >>
> >> In the past, if we have released only parts of the respin, we have had
> >> errors because some of the packages are compiled on the new glibc/gcc.
> > 
> > OK...BUT, as bdaniels noted, the above update is already out for
> > CentOS ia64 (May 2) and s390 (May 4)...
> > 
> > Akemi
> Those arch's probably aren't scheduled for a respin right away. IA64 and s390
> are probably in the single digit percentage of installs, and those respins can
> probably be put off for an extra week or two without serious complaints. But
> the ssh patches probably shouldn't wait that long.

That is correct ... as we have different developers/release managers
doing different things for different arches.

And I might analyze for releasing the openssh stuff separately, if there
is a long term reason that we can't get the i386/x86_64 respins out.

The problem goes like this:  (as an example)

Kernel is a security release, so I want to push it before we do the
respin.

Kernel boots with the old kudzu and mkinitrd, but does not work
correctly ... so I need to release those too.

The mkinitrd requires that I need to release the new kernel-utils and
module-init-tools.

Pretty soon, I need to release the whole respin to release the kernel.

Since the thing in question is the openssh ... lets see how long RH
waited from build time to release:
=====================================================
From RHN:

openssh-3.9p1-8.RHEL4.20.i386.rpm
Build Date:   2006-11-10 16:14:48
Release Date: 2007-05-01
=====================================================

So if RH can wait almost 7 months to get this package through QA and
release, surely we can QA the entire respin for 2 weeks :-P.

As I said, dumping only part of the respin out can be done, however, I
just did not like the results that we had and bugs it created the couple
times we did it that way for i386/x86_64 ... it is just safer to release
it as a group (just like upstream did).

However, if another developer wants to do the other approach, and if
they have analyzed for it, that is also absolutely a valid approach.
Nothing wrong with either way, but I want i386/x86_64 to go though QA
first.

Thanks,
Johnny Hughes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20070508/128c39a3/attachment-0007.sig>