On Thu Sep 25, 2003 at 09:40:16PM -0400, Albert Whale wrote: Can you fix your reply-to's as well? It's irksome that replies aren't going to the list.
> >>I am running a System Scan on Several machines. The interesting ones > >>to me are Linux Mandrake 8.2 and 9.1. > >> > >>The issue here is that the Scanning Tools (here I am using Nessus), > >>expect a specific reply in order to accept or reject the applications > >>which are communicating on the Server. > >> > >>Even though the Mandrake OpenSSH software is upgraded to the latest > >>version (openssh-server-3.6.1p2-1.1.82mdk) available for the package > >>(from Mandrake), this still does not reflect the package version > >>supportted for openssh (here being 3.7.1 and above). > >> > >>So how do we simplify this Version Numbering and conform with the > >>Expected results? > > > > We don't :) Check the other openssh related threads of this past > > week or so...you'll see Vincent's reasoning as of why there's not > > and will not be a 3.7.1 in mdk. > > > Thanks I'll do that, but this makes the jobs of Justify the Mandrake > Package harder to swallow. Perhaps Gentoo is following the standards?? Ummm... what standards? I didn't realize that upgrading to the latest (broken) version of a software (three times) was a standard? Seriously, there are darn good reasons for not jumping on the upgrade bandwagon like Gentoo does. For right or wrong, this method of not jumping to the latest version of something has saved us a *lot* of grief. Remember the openssl vulns? Did you *really* want us to upgrade to the latest version of openssl and have to recompile and re-ship everything that depended on it? Sure, let's turn openssl into a 350MB+ download because we have to rebuild parts of KDE amongst many other things just so that nessus doesn't complain. Give me a break. Justifying the Mandrake package? Please! Justify to whom? Your boss? Are they seeing some fancy table on Red Hat's site that indicates package names, CVE names, and RHSA advisory numbers? Maybe SuSE has this fancy table? Or is it just Gentoo? No, wait. Gentoo doesn't have a fancy table. They just make you upgrade three times (from *source* mind you) to get the thing fixed. Thanks, but I'll take the table-less backport that only needs to be done once and use *that* as justification, thank you very much. Bean counters who want excel spreadsheets really need to wake up. A little graph isn't justification for a "package" or distribution. The quality of the distribution and what it produces for *your* protection should be justification enough. But, hey, if you felt like recompiling openssh three times in two days on your Gentoo boxes and your boss figured that was a good investment, all the power to you. Now that you think about this a little more, don't you just want to come to the conclusion that this is all a little silly and that using a chart as justification for an OS seems a little... crazy? -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
