[CentOS-devel] yum-plugin-security and shellshock

Thu Oct 2 08:39:29 UTC 2014
Karanbir Singh <mail-lists at karan.org>

On 10/01/2014 10:07 PM, Kevin Stange wrote:
> Somehow this information is apparently useful, supported and functional
> in Fedora and SL.  What are they doing to make sure it's not half-baked
> and broken?  Anyone from SL or Fedora here that could answer that question?


Fedora is a complete enclosed distro - their proposition is different.
For SL - they publish the metadata and hope for the best, maybe that is
fine with their userbase but winging it and keeping fingers crossed is
really not how I'd want to run my systems.

While there is still a firewall between us and the RHEL QE / RelEngg ;
but based on the conversations we've had and what I've seen happening -
its pretty clear the the SL guys are pushing confidence around things
that they need to own - and as far as I can tell there is no effort to
actually validate any of it; even to the point that when heartbleed
happened - I had to go remind them that every SL version and every user
instance was exploiteable; unlike RHEL and CentOS where only folks who
had updated in the few weeks leading upto the issue being reported.

If you want to see this issue resolved, then blindly throwing something
over the wall and hoping for the best isnt the way to do it - there are
fairly tangiable pieces of work that need to be done, find the time, do
the work. We can all gain from it.

Besides, if its a case of winging it, why not wing it with a 'yum update
\*' - atleast you are then winging it with a tested process ( upstream
and to -some- extent in centos.org too ).

-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc