On Fri Sep 26, 2003 at 10:31:58AM +0200, Guillaume Rousse wrote: > > > On Thu Sep 25, 2003 at 07:59:30PM -0400, Levi Ramsey wrote: > > > > I think the policy should be that anything which listens on a port > > > > should not, under any circumstances, be in contribs, as contribs are > > > > not generally updated; I'm sure that someone will come along with a > > > > sendmail repository and do the updates themselves. > > > > > > I disagree. A lot of nice network-type software would be missing and I > > > sure as heck don't want them all in main. What's wrong with having > > > them in contribs? They aren't officially maintained... so what? Having > > > them in contribs, joe sysadmin can grab the src.rpm for what he has > > > installed, grab the new version or patch, and roll his own. It's still > > > convenient for him to have it in contribs even if he doesn't get it > > > via MandrakeUpdate. > > > > I does make sense if we have a note attached on them they can pose a > > security risk and if people use them they should take care they are up > > to date. Some sort of mechanism that keeps people informed about > > updates. For example xmule which was found to be exploitable > > recently. I expect more troubles from that program. A simple warning > > after installing wont even do... Can somebody come up with a decent > > solution to this problem?
Hmmm... didn't see this one. I've got a solution. Subscribe to full-disclosure. You'll see what other vendors are putting out and you'll be able to see what needs fixing. > Actually, there is no point just explaining servers in contrib are not > updated. A real explanation of mandrake policy would be far better: > - what is main, what is contrib, and what is update ? > - what does get updated ? > etc... Good grief.. everyone wants policy policy policy... =) Main is what is in the main tree. You know, what comes in the download edition. The stuff that is labelled "not contribs". The meat of the distro. The equivilant of Mandrake-devel/cooker/i586/Mandrake/RPMS Contribs is contribs. It's labelled as such. updates? Should be pretty obvious. Updates are stuff in main that need fixing for whatever reason. Main gets updated. contribs doesn't. I don't see what is so difficult about this. This is how it has *always* been. It hasn't changed. No need for a policy regarding it. This is just how it's done. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
