[OpenAFS] Re: testing RPMs for 1.4.2

Axel Thimm openafs-info@openafs.org
Fri, 13 Oct 2006 22:55:44 +0200

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 13, 2006 at 04:29:08PM -0400, Jeffrey Hutzelman wrote:
> On Friday, October 13, 2006 09:18:24 PM +0200 Axel Thimm=20
> <Axel.Thimm@ATrpms.net> wrote:
> >But please do simply upgrade your kernel package. It is important for
> >the security of your system and will also enable you to start with
> >existing binary packages.
> You keep saying this, as if anyone who is running a kernel released earli=
> than yesterday must be a fool and unworthy of assistance.

(Let me start by commenting that I consider your reply as a bit
unnecessary polemic, but won't bite)

I'm neither implying anyone's a fool, nor promoting non-security
related upgrades and certainly not considering anyone "unworthy of

o The kernel that has been references is older than half a year and
  had *6* security updates since (and many more non-security updates)

    060419 [SECURITY] Fedora Core 5 Update: kernel-2.6.16-1.2096_FC5
    060503 [SECURITY] Fedora Core 5 Update: kernel-2.6.16-1.2107_FC5
    060521 [SECURITY] Fedora Core 5 Update: kernel-2.6.16-1.2122_FC5
    060611 [SECURITY] Fedora Core 5 Update: kernel-2.6.16-1.2133_FC5
    060705 [SECURITY] Fedora Core 5 Update: kernel-2.6.17-1.2145_FC5
    060714 [SECURITY] Fedora Core 5 Update: kernel-2.6.17-1.2157_FC5

> But many of us on this list run large computing environments, not
> one-off machines, and releasing new software in such an environment
> can take a long time.

o If you want to run Fedora Core, you need to keep up with the pace of
  it. If you cannot there are RHEL and clones and other enterprise
  grade Linuxes/Unices that have a much slower upgrade pace fitted to
  your environment. Allowing security vulnerabilities to creep into a
  large environment by design (e.g. by chosing a platform that you
  cannot maintain as the vendor requires you to) should be
  revised. Many such environments are using CentOS or Scientific
  Linux, you should really follow that route.

o Not updating a system for any reason only makes sense in a properly
  firewalled environment not offering any exposure to the net. But
  openafs is about (non-local) networking, so especially for openafs
  you should harden your systems even more. Keeping the kernel free of
  known security vulenrabilities is an essential part of it.

o "unworthy of assistance": I have explained how to rebuild the kmdl
  for any kernel, but strongly recommended to upgrade the kernel
  first. What part of it is misunderstood as "unworthy of
  I also consider this advice and this very mail as assistance. If it
  makes a couple more people aware of the issues associated with
  running outdated kernels and other system parts on the net and they
  fix their security vulnerabilities then it will have been a very
  good assisance to them.
Axel.Thimm at ATrpms.net

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.5 (GNU/Linux)