Re: [SCIENTIFIC-LINUX-USERS] Software Collections 1.0 is available for SL 6 (fwd)

2014-04-25 Thread olli hauer
On 2014-04-25 23:27, Pat Riehecky wrote:
> On 04/25/2014 10:27 AM, olli hauer wrote:
>> On 2014-04-25 15:25, Pat Riehecky wrote:
>>> On 04/24/2014 04:21 PM, Orion Poplawski wrote:
 On 10/17/2013 02:27 PM, Connie Sieh wrote:
> -- Forwarded message --
> Date: Thu, 17 Oct 2013 15:25:39 -0500
> From: Connie Sieh 
> To: cs...@fnal.gov
> Subject: Software Collections 1.0 is available  for SL 6
>
> The following TUV "software collection" products are now available for SL 
> 6.
>
> A README with info about yum repos for these packages is available from
> ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti
> ons/README
 Any chance of yum-conf-softwarecollections ending up in the main SL repos?


>>> That's an interesting idea.  Lets take it to the devel list and see what 
>>> people think.
>> @me not subscribed to the devel@ list so giving my rant here.
>>
>> The versions provided in softwarecollections have almost already known 
>> vulnerabilities.
>>
>> Picking only the latest CVE entires retrieved after softwarecollections 
>> publish date.
>>
>> php-5.4: CVE-2013-6420
>> postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 
>> CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067
>> python27 / python33: CVE-2014-1912
>> ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 
>> CVE-2013-6417
>>
>> Until the collection gets more notice from upstream I don't think it is a 
>> good idea to provide yum-conf-softwarecollection.
>>
> 
> Yikes!
> 
> Any one report these CVEs to upstream to make sure they didn't get misplaced?
> 
> Pat
> 

Hi Pat,

perhaps I was to fast with my rant ...

Anyway comparing upstream checksums with the SC collection will not work and 
for external products I cannot find repoview files

Since I have the next days no SC console available I can only check if there 
are already existing upstream erratas.

For example:

php-5.4:
 https://access.redhat.com/security/cve/CVE-2013-6420
 https://rhn.redhat.com/errata/RHSA-2013-1815.html

 CVE:  CVE-2013-6420
 RHSA: RHSA-2013:1815-1
 Issued on: 2013-12-11

Updated packages:
php54-php-5.4.16-7.el6.1.x86_64.rpm -> rpm version match the on on SC so rpm 
should be fine.

So I will ask if it is possible to generate errata files for the packages in 
6x/softwarecollection that can be used later for example in spacewalk?

-- 
Sorry for the noise, I will next time do a better research.

olli


Re: [SCIENTIFIC-LINUX-USERS] Software Collections 1.0 is available for SL 6 (fwd)

2014-04-25 Thread Pat Riehecky

On 04/25/2014 10:27 AM, olli hauer wrote:

On 2014-04-25 15:25, Pat Riehecky wrote:

On 04/24/2014 04:21 PM, Orion Poplawski wrote:

On 10/17/2013 02:27 PM, Connie Sieh wrote:

-- Forwarded message --
Date: Thu, 17 Oct 2013 15:25:39 -0500
From: Connie Sieh 
To: cs...@fnal.gov
Subject: Software Collections 1.0 is available  for SL 6

The following TUV "software collection" products are now available for SL 6.

A README with info about yum repos for these packages is available from
ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti
ons/README

Any chance of yum-conf-softwarecollections ending up in the main SL repos?



That's an interesting idea.  Lets take it to the devel list and see what people 
think.

@me not subscribed to the devel@ list so giving my rant here.

The versions provided in softwarecollections have almost already known 
vulnerabilities.

Picking only the latest CVE entires retrieved after softwarecollections publish 
date.

php-5.4: CVE-2013-6420
postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 
CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067
python27 / python33: CVE-2014-1912
ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 CVE-2013-6417

Until the collection gets more notice from upstream I don't think it is a good 
idea to provide yum-conf-softwarecollection.



Yikes!

Any one report these CVEs to upstream to make sure they didn't get 
misplaced?


Pat

--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/


Re: [SCIENTIFIC-LINUX-USERS] Software Collections 1.0 is available for SL 6 (fwd)

2014-04-25 Thread olli hauer
On 2014-04-25 15:25, Pat Riehecky wrote:
> On 04/24/2014 04:21 PM, Orion Poplawski wrote:
>> On 10/17/2013 02:27 PM, Connie Sieh wrote:
>>> -- Forwarded message --
>>> Date: Thu, 17 Oct 2013 15:25:39 -0500
>>> From: Connie Sieh 
>>> To: cs...@fnal.gov
>>> Subject: Software Collections 1.0 is available  for SL 6
>>>
>>> The following TUV "software collection" products are now available for SL 6.
>>>
>>> A README with info about yum repos for these packages is available from
>>> ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti
>>> ons/README
>>
>> Any chance of yum-conf-softwarecollections ending up in the main SL repos?
>>
>>
> 
> That's an interesting idea.  Lets take it to the devel list and see what 
> people think.

@me not subscribed to the devel@ list so giving my rant here.

The versions provided in softwarecollections have almost already known 
vulnerabilities.

Picking only the latest CVE entires retrieved after softwarecollections publish 
date.

php-5.4: CVE-2013-6420
postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 
CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067
python27 / python33: CVE-2014-1912
ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 CVE-2013-6417

Until the collection gets more notice from upstream I don't think it is a good 
idea to provide yum-conf-softwarecollection.

-- 
Regards,
olli


Re: [SCIENTIFIC-LINUX-USERS] Software Collections 1.0 is available for SL 6 (fwd)

2014-04-25 Thread Pat Riehecky

On 04/24/2014 04:21 PM, Orion Poplawski wrote:

On 10/17/2013 02:27 PM, Connie Sieh wrote:

-- Forwarded message --
Date: Thu, 17 Oct 2013 15:25:39 -0500
From: Connie Sieh 
To: cs...@fnal.gov
Subject: Software Collections 1.0 is available  for SL 6

The following TUV "software collection" products are now available 
for SL 6.


A README with info about yum repos for these packages is available from
ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti 


ons/README


Any chance of yum-conf-softwarecollections ending up in the main SL 
repos?





That's an interesting idea.  Lets take it to the devel list and see what 
people think.


Pat

--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/