[CentOS] CentOS security advisories

Joshua Bahnsen Joshua.Bahnsen at lumension.com
Thu Jun 18 01:25:33 UTC 2009

> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of R P Herrold
> Sent: Wednesday, June 17, 2009 5:37 PM
> To: CentOS mailing list
> Subject: [CentOS] CentOS security advisories
> On Wed, 17 Jun 2009, Joshua Bahnsen wrote:
> > I assume you mean this?
> > http://www.redhat.com/legal/legal_statement.html
> That is an assumption you make, all right --- that page does
> not state it is exhaustive, however ...
> > What I mean is, is there a specific Red Hat web page that
> > defines what is acceptable and what is not?
> Feel free to ask them, just not on this list
> > What exactly do you mean by "breaching the rhn aup's"?
> Red Hat's outside counsel has made a statement asserting (in
> part) CentOS project misbehavior by so-called 'deep linking'
> as follows:
>  	Moreover, our client does not allow others [in a
>  	letter directed to asserted improper CentOS project
>  	behavior] to provide links to our client's web site
>  	without permission.
> >> earlier: K B Singh wrote:
> >> yes, its come up a few times, there has been some work done
> >> on it as well, however there is no automated way to get
> >> this info without breaching the rhn aup's
> I realize you [Joshua Bahnsen] feel a need to top post for
> some reason, but it simply means that context threading is
> broken.
> Red Hat's counsel threatened litigation against the project if
> it did not address various alleged issues:
>  	... we trust that this issue can be resolved promptly
>  	and amicably and appreciate your attention to this
>  	matter. We look forward to your reply and request a
>  	response no later than February 4, 2005
> Why would the project go again near a sharp edge that Red Hat
> has chosen to take offense at?  Who shall insure and indemnify
> the project and its members against the costs of defense, let
> alone any damages award?
> Please note that I do not need a reply on that question, as it
> is clearly a rhetorical question.
> -- Russ herrold
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
[Joshua Bahnsen] 

I don't want to cause any trouble here, but what does this have to do with generating advisory information that is provided by the vendor? Are there legal questions around clicking around the publicly available advisory data and generating XML based on that information? Obviously CentOS is generating *SOME* of the data provided by the vendor but not all. I'm merely trying to figure out:

1. Why there is a discrepancy (legal?, time?, need?, etc.)
2. If there is an alternate location to find this advisory information for CentOS
3. If anyone has tried to combine this data into a format consumable by yum-security
4. If using the advisory data provided on the vendor website and changing the title is a valid approach to generate advisory data in which the rpms are named the same

I believe this feature (patching based on advisories) would be advantageous to end users.

More information about the CentOS mailing list