On Fri, Aug 21, 2009 at 05:34:27PM -0400, Jim Perrin wrote: > On Fri, Aug 21, 2009 at 5:17 PM, Ray Van Dolson<rayvd at bludgeon.org> wrote: > > > - Keep phpMyAdmin up to date. Best way to do this is to use a > > package from a well known repository like EPEL that keeps the > > package at the latest version for you. > > > I've not beaten EPEL up too much on things like this, but here is one > instance where it counts. EPEL relies on its packagers to keep things > current, and in a startling number of cases, they do not. Case in > point is the wiki software, moin. Moin is at something like 1.8.x or > 1.9.x now, and has several posted security issues, which have been > fixed in the most recent versions. EPEL however is still shipping > 1.5.9 -> > http://download.fedora.redhat.com/pub/epel/5/i386/repoview/moin.html > > Just because it's from a well known 3rd party repository doesn't mean > it's fully patched. While your advice to use known repositories is > good, please don't let it fool you into a false sense of security. The upgrade from Moin 1.5.x to newer versions is not something that can be automated (as I understand it). Thus the decision was to leave Moin as is and likely provide a newer moin18 or moin19 package (whatever the latest is) in the interim and at some point obsolete the older version. (Hopefully I didn't get that wrong) Moin is a special case. For the most part EPEL maintainers do a good job of keeping things as up to date as they can. Of course, as Jim pointed out, with any repository maintained by volunteers (this includes rpmforge, CentOS-extras, etc), you're at the whim of the packager. Tread with adequate caution! This is why Sysadmins should have some skills of their own to identify packages that might require a little extra TLC or to keep an eye on the appropriate security mailing lists. We all have a number of tools in our toolchests. :) For the most part, however, I'm going to prefer a package from an active repository like EPEL or rpmforge over handbuilding something like phpMyAdmin every time there's a new release. To each their own though... Ray