Vincent Danen wrote:
On Thu Sep 25, 2003 at 09:40:16PM -0400, Albert Whale wrote:I got my reply replaced, I think that there are some settings to replace the reply-to in some Mailing List Managers as well (not sure which one is in use here).
Can you fix your reply-to's as well? It's irksome that replies aren't going
to the list.
Ok, but that's not what I was referring to.Thanks I'll do that, but this makes the jobs of Justify the Mandrake Package harder to swallow. Perhaps Gentoo is following the standards??
Ummm... what standards? I didn't realize that upgrading to the latest (broken) version of a software (three times) was a standard?
I understand.
Seriously, there are darn good reasons for not jumping on the upgrade bandwagon like Gentoo does. For right or wrong, this method of not jumping to the latest version of something has saved us a *lot* of grief. Remember the openssl vulns? Did you *really* want us to upgrade to the latest version of openssl and have to recompile and re-ship everything that depended on it? Sure, let's turn openssl into a 350MB+ download because we have to rebuild parts of KDE amongst many other things just so that nessus doesn't complain. Give me a break.
I understand about your policy is WORKING, that's not what I am attempting to discuss.
WAIT.
Justifying the Mandrake package? Please! Justify to whom? Your boss? Are
they seeing some fancy table on Red Hat's site that indicates package names,
CVE names, and RHSA advisory numbers? Maybe SuSE has this fancy table? Or
is it just Gentoo? No, wait. Gentoo doesn't have a fancy table. They just
make you upgrade three times (from *source* mind you) to get the thing
fixed.
I am a die hard Mandrake supporter, and have purchased Mandrake since 6.0, I don't need to justify Mandrake.
We are not communicating here. What I am trying to say is that I want to see Mandrake maintain the leadership in has in package selection and distribution.
SO being on the cutting edge, and knowing that Mandrake IS progressive in managing the CVEs, I am attempting to validate that the proper RPMs for the CVEs are installed on the servers. I'm not talking about a single server, I mean for an enterprise. Sure for a single machine, you cannot justify the creation of a CVE/MDKSA/RPM table, but I'm sure that many admins would be able to make use of this type of tool for their environment. Then again, when those same admins are attempting to plug the holes from their latest Security Audit (whether the Auditors are internal or external), having a Single Reference to validate the patches would simplify the process significantly, for everyone involved.
No one else has this table, but then again, no one else is Mandrake. I have always seen that Mandrake has tried to add more value to their distribution, and I have always promoted this to my customers and acquaintances as well. I realize that your packages save us time and efforts, and I am not attempting to change your philosophy here at all. I am trying to add value here, as an experienced admin, in seeing the needs of admins and Security Audits, this table would easily correlate the MDKSAs to the CVEs and validate that the RPM needed is installed on the server(s).
Thanks, but I'll take the table-less backport that only needs to be doneAgreed. Unfortunately telling the bean counters to wake up is not going to get them to spend money on Mandrake. Just because We understand the Technical details and benefits of Mandrake, does not mean that everyone else does. Providing tools (like the very useful urpmi), is one way to get them to 'see' the benefit. I don't think that Bean Counters will ever see more than the beans in front of their face.
once and use *that* as justification, thank you very much. Bean counters
who want excel spreadsheets really need to wake up. A little graph isn't
justification for a "package" or distribution. The quality of the
distribution and what it produces for *your* protection should be
justification enough.
But, hey, if you felt like recompiling openssh three times in two days onIf I wanted a Gentoo Box, I would download it. If I wanted a more Developed and Mature environment I keep my Mandrake.
your Gentoo boxes and your boss figured that was a good investment, all the
power to you.
I hope that you realize that I am NOT attempting to justify Mandrake with a Table, but I am recommending that the Table be implemented by Mandrake, for the benefit of Administrators that use, support, manage and maintain the Mandrake distribution. I BUY Mandrake products, and want to see more people by the products as well. Making Mandrake easy to use for the rest of the people will get more people on Mandrake.Now that you think about this a little more, don't you just want to come to the conclusion that this is all a little silly and that using a chart as justification for an OS seems a little... crazy?
Have a Great Day!
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
