On Thu, 2003-09-25 at 22:37, Vincent Danen wrote:
> On Thu Sep 25, 2003 at 09:40:16PM -0400, Albert Whale wrote:
>
> Can you fix your reply-to's as well? It's irksome that replies aren't going
> to the list.
>
> > >>I am running a System Scan on Several machines. The interesting ones
> > >>to me are Linux Mandrake 8.2 and 9.1.
> > >>
> > >>The issue here is that the Scanning Tools (here I am using Nessus),
> > >>expect a specific reply in order to accept or reject the applications
> > >>which are communicating on the Server.
> > >>
> > >>Even though the Mandrake OpenSSH software is upgraded to the latest
> > >>version (openssh-server-3.6.1p2-1.1.82mdk) available for the package
> > >>(from Mandrake), this still does not reflect the package version
> > >>supportted for openssh (here being 3.7.1 and above).
> > >>
> > >>So how do we simplify this Version Numbering and conform with the
> > >>Expected results?
> > >
> > > We don't :) Check the other openssh related threads of this past
> > > week or so...you'll see Vincent's reasoning as of why there's not
> > > and will not be a 3.7.1 in mdk.
> > >
> > Thanks I'll do that, but this makes the jobs of Justify the Mandrake
> > Package harder to swallow. Perhaps Gentoo is following the standards??
>
> Ummm... what standards? I didn't realize that upgrading to the latest
> (broken) version of a software (three times) was a standard?
>
> Seriously, there are darn good reasons for not jumping on the upgrade
> bandwagon like Gentoo does. For right or wrong, this method of not jumping
> to the latest version of something has saved us a *lot* of grief. Remember
> the openssl vulns? Did you *really* want us to upgrade to the latest
> version of openssl and have to recompile and re-ship everything that
> depended on it? Sure, let's turn openssl into a 350MB+ download because we
> have to rebuild parts of KDE amongst many other things just so that nessus
> doesn't complain. Give me a break.
>
> Justifying the Mandrake package? Please! Justify to whom? Your boss? Are
> they seeing some fancy table on Red Hat's site that indicates package names,
> CVE names, and RHSA advisory numbers? Maybe SuSE has this fancy table? Or
> is it just Gentoo? No, wait. Gentoo doesn't have a fancy table. They just
> make you upgrade three times (from *source* mind you) to get the thing
> fixed.
>
> Thanks, but I'll take the table-less backport that only needs to be done
> once and use *that* as justification, thank you very much. Bean counters
> who want excel spreadsheets really need to wake up. A little graph isn't
> justification for a "package" or distribution. The quality of the
> distribution and what it produces for *your* protection should be
> justification enough.
>
> But, hey, if you felt like recompiling openssh three times in two days on
> your Gentoo boxes and your boss figured that was a good investment, all the
> power to you.
>
> Now that you think about this a little more, don't you just want to come to
> the conclusion that this is all a little silly and that using a chart as
> justification for an OS seems a little... crazy?
Vincent,
I think you know that I agree with the bulk of what you said. The
only sad part is that there are those out there for whom the reaction to
stubbing ones toe is to re-design the floor, never turning on a light.
As proof, I offer
1. Discussions on how storing your personal data on a server you can't
control increases your safety (passport)
2. The millions of man hours spent every month trying to figure out how
to put a RH rpm on a SuSE server. (most "software management systems")
Myself ... I've learned that when it doubt, you can always cheat and
edit the file so that the app lies when someone does a -V check on
version. *grin* (I refuse to admit I said that too.)
James
James
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
