[CentOS-devel] CentOS-[56] Continous Release

Tue Jun 21 15:41:48 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On 6/21/2011 10:09 AM, Karanbir Singh wrote:
> On 06/21/2011 04:06 PM, Les Mikesell wrote:
>>> a kernel that does not boot can kind of do that...
>>
>> But is that really worse than one that allows anyone to become root,
>> which might be the other choice?  And if you can't take the chance or
>> think you are firewalled well enough that it doesn't matter, why update
>> at all?
>>
>
> I'm guessing you are just ranting here for the sake of ranting. Or do
> you really expect rpms to be pushed from build to public repos online
> without any testing at all ?

I'm pointing out that running for any length of time without fixing 
known vulnerabilities is a very bad.  Even if it is a local root 
escalation - if you also have an exploit in a network app (like the 
bazillion in php and its apps, struts, etc.) the two can be combined to 
take over the machine and it is mostly a matter of time until it happens 
(and yes, this is from experience...).  And I thought last time around 
you said these packages would go through the normal qa process before 
even going into the option CR repo, so I'll repeat the question as to 
why you think something is going to be wrong with them.  I can see 
wanting some reasonable number of machines to run them as a test, but 
still don't understand why anyone would want to continue to run with 
known problems instead of having them fixed.

-- 
   Les Mikesell
    lesmikesell at gmail.com