[CentOS-devel] yum-plugin-security and shellshock

Thu Oct 2 14:37:09 UTC 2014
Kevin Stange <kevin at steadfast.net>

On 10/02/2014 03:32 AM, Karanbir Singh wrote:
> On 10/01/2014 08:41 PM, Kevin Stange wrote:
>> I'll be honest: I don't care about this scenario at all.  My spacewalk
>> server would take care of this just by virtue of CentOS having the data
>> ever available for these packages and constantly keeping itself current.
> 
> but your usecase does not represent a sane interface from the project
> side - hacking up something that is going to put users at risk is far
> worse that communicating that users need to really just apply all updates.
> 
> I really dont understand the corner case arguments you make here, Kevin
> you are far smarter than this. Are you just trying to tick a box off and
> dont care if that leaves a majority of the userbase exposed by
> incorrectly commnunicated confidence ?
> 
> The fact that you are actually looking to penalise people who dont run
> updates nightly is very dangerious.

I'm not trying to penalize users who don't run updates nightly. I'm
considering people who don't update at all for entire distro release
cycles already doing things so badly, it barely matters if they're
misinformed.

The point of this updateinfo.xml is to get information to people who are
updating on an ongoing basis so they can see what kind of updates
they're getting when they run their daily, weekly, or monthly yum update.

When I update my Windows servers, I read the update notices to see what
component is being updated and why.  I don't usually skip updates, but
it lets me determine if maybe there are any things I should double check
after applying or if I should delay an update while I need to QA
something.  I do the same thing in CentOS, but in CentOS the only source
of information for this is the mailing list.  It could appear right in
the Update Manager, or at least the update manager could end up having a
link right to the RHXAs.

I think there is an actual benefit for the people who update regularly
that trumps people who choose to do really weird things and
intentionally disregard the constant update process of the OS.

-- 
Kevin Stange
Chief Technology Officer
Steadfast | http://steadfast.net
Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688