[CentOS] Re: Apache RPM's

Ross S. W. Walker rwalker at medallion.com
Wed Feb 13 17:04:36 UTC 2008 

Scott Silva wrote:
> 
> on 2/13/2008 7:44 AM nate spake the following:
> > Ross S. W. Walker wrote:
> > 
> >> The agencies don't know what security backports vendor XYZ
> >> has implemented and frankly they don't care. All they have
> >> is a list of minimum version numbers that software must be
> >> at in order for it to be deemed "compliant".
> > 
> > So check the actual version number of the package. Using a remote
> > network software scanner to detect security problems based on
> > banner strings provided by the network software is nothing
> > more than a false sense of security.
> > 
> >> I think we will start seeing this in the PCI and HIPA
> >> compliance regulations first, but I wouldn't be surprised
> >> if it leaks out into GLBA and other regulations over time.
> > 
> > The scanning vendors will be forced to fix their products. It's
> > perfectly acceptable, and preferred behavior to backport patches.
> > Just look at the recent Samba thread here for a good reason
> > why backporting is good. I'd be mightily pissed if RHEL or
> > CentOS switched a version out from under me which caused breakage.
> > I honestly cannot believe that RHEL did that for Samba. If
> > anything introduce a new ALTERNATE package that has the
> > incompatible changes in it and allow users to choose between
> > that one and the original for their systems. That's just me though.
> > Fortunately I don't really use Samba.
>
> Wasn't the samba issue something that was fairly critical, 
> but just couldn't 
> be backported?

Yeah, it was a decision whether to keep samba at the same
version but with Windows 2003/Vista incompatibilities or to
up the version knowing it can break customers setups.

Difficult decision, but every now and then all vendors have
to make at least 1 controversial decision. Besides what good
is a Windows compatibility layer that isn't compatible with
the latest version of Windows?

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

More information about the CentOS mailing list