On Fri Sep 26, 2003 at 06:51:59PM +0159, Han Boetes wrote: > > [snip] > > Main gets updated. contribs doesn't. > > > > I don't see what is so difficult about this. This is how it has > > *always* been. It hasn't changed. No need for a policy regarding it. > > This is just how it's done. > > I agree that mandrake is not responsible for providing updated packages > for contribs even when there is a security problem. But I think there > is a nice solution: > > msec makes a daily list of all installed rpms. of course it could also > fetch a list of rpms which have security problems from some place. It > could compare those lists and then send a an email to root that there > is a problem with a package and that it should be updated or removed.
Well, that would mean someone has to maintain such a list for contribs. For main, this is easy. Use urpmq to tell you what needs updating in main. For contribs, it's a little more difficult because someone has to maintain this list. I'll be honest, when a new vuln comes out, I grep through a listing of files in main; I don't make file listings for contribs packages, so if grep shows me nothing matches, I move on. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
