On Sat, 2007-11-03 at 12:23 +0100, Pascal Bleser wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Aniruddha wrote: > > I am planning to support openSUSE 10.3 for both companies an home users. > > I have found the Packman repository irreplaceable to get openSUSE > > working in all it's glory. Thank you for that. > > > > Now on with the more serious questions. My basic question is; I do trust > > you guys, but > > > how good are your security policies? > > None. Or, well, when we see that there's a bugfix, security fix or newer > release available, we package it as quickly as possible. > > > Is the original source checked for signs of malware? > > No, we trust upstream. Just like 99% of all the packagers of all the > distributions. > > > What is your policy for security fixes? > > We apply them ASAP when we find out about them. It's not really a policy > either. > > > Who monitors them? > > Every member of the Packman team has his set of packages that he takes > care of. And it's up to each of them to monitor them. Some are on a few > mailing-lists to catch release announcements as quickly as possible. > Myself, I just check freshmeat.net (and a few other sites) a few times a > day to be informed about new releases of the few hundred packages I > maintain. > > > What is the maximum response time if a vulnerability is discovered? > > No idea, we don't have any support policy. Could be a few days in worst > case I guess.
Thanks you for all your answers > I don't know what world you're living in but we're not paid to do this, > we do it during our spare time, and it's a considerable effort and > amount of time, health, and commitment going into this from every single > member of the team. It's totally unrealistic and just plain impossible > for us to provide SLAs, maximum response time guarantees or whatever. > Get real. > > If you want a really secure environment (_if_ you actually need that > level of paranoia), then only use the packages that come with the > distribution. > > And as the Subversion team likes to put it: "patches are welcome" Pascal, in the world I live people don't regards questions as personal attacks. Nor do they feel the need to talk in a demeaning manner. How tempting it might be I am not going to lower myself to this level of discussion. I own my own IT company, I have to know 100% certain what I offer my costumers. Companies rely on me for a good solid advice. Operating systems are just a tool for me, nothing more. Apparently openSUSE/SLED doesn't offer the solution I need. That's fine with me. I'll just go on and advice another 'tool' that does offer the kind of security I need. Gentoo for example is 100% free, it's entirely maintained by volunteers, and has the highest security standards in the industry: http://www.gentoo.org/doc/en/security/index.xml http://www.gentoo.org/security/en/index.xml http://www.gentoo.org/security/en/vulnerability-policy.xml http://www.gentoo.org/security/en/coordinator_guide.xml Besides Gentoo there is Ubuntu/Debian/FreeBSD which shows that it is possible to make a very secure distribution with only volunteers. -- Regards, Aniruddha _______________________________________________ Packman mailing list [email protected] http://212.112.227.138/cgi-bin/mailman/listinfo/packman
