OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Leon Harris (leonquoll.com)
Date: Thu Mar 14 2002 - 17:53:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Some information on ETA would be useful then. I do not like this idea of
    leaving vulnerable and out of date systems lying around for 6 months
    waiting for the next update to come along. While this current zlib bug
    probably needs a new distro to fix, for the others I think you should
    still release patches.

    >
    >
    >7.0 needs many patches; we have released roughly 70 updated packages
    >for 7.0. 7+ includes security fixes to an additional 30 packages or so.
    >While it is likely that one could piecemeal-upgrade their 7.0 system
    >with updates, a fully-updated 7.0 system will resemble a 7+ system.
    >
    >And, in fact, it is likely that one will be able to take the RPMs we
    >will release for 7+ and upgrade a 7.0 machine with those packages. We
    >won't bother with updates to 7.0 simply because 7+ can be considered as
    >the single omnibus patch that fixes all known problems.
    >

    It is actually "easier" not to give a rats arse about security, but
    thats hardly the point. I think you are shooting yourselves in the foot
    here - your market is highly security-conscious, and probably highly
    exposed. It is very hard to make the case that you take security
    seriously if you wait months to fix packages. At the very least, you
    should issue a commentary on each CERT advisory to say whether immunix
    is/is not vulnerable.

    >
    >Yes; there came a point when it was far easier to roll out one large
    >upgrade, rather than continue to handle dozens of smaller updates.
    >(Anyone who has downloaded the 177 megabytes of updated packages is
    >likely to agree that it was time to release a new distribution. :)
    >
    I guess thats me, but no, I would rather have the choice. I don't mind
    paying for it, but I want the choice. I particularly don't like being
    left to dangle, forced to make the choice "do I fix this hole myself,
    possibly breaking future upgradeability, or sit around waiting for
    someone to get me".

    Sorry guys, not good enough.

    Cheers,
    Leon

    _______________________________________________
    Immunix-users mailing list
    Immunix-usersmail.wirex.com
    http://mail.wirex.com/mailman/listinfo/immunix-users