My apologies for the inflamatory tone in my initial reply, it was uncalled for with your honest question; Previous threads about release engineering processes got my panties a bit in a tiffy, so again sorry for that
"To those saying that Red Hat should not prioritize an updated sendmail package; should they release Red Hat 8.1 with a vulnerable sendmail that was beta tested, or should they release it with a patched but untested sendmail?"
I tried to awnser this in the previous email. The changes you refer to for sendmail have been applied to the sendmail updates for all redhat update channels, so the changes have been tested widely and thuroughly.
First, this was a question; I wasn't making a "claim" about what I "think". The question was addressed to "those saying that Red Hat should not prioritize an updated sendmail package". I was playing devil's advocate, trying to present another point of view using sarchasm (apparently the sarchasm wasn't as obvious as I intended).
In fact that was not my point. I said i can understand that it is not a priority, and responded to people who said redhat has a obligation to update it now, that thats the risk and the game of running a beta. Anyone can take the erate update for rh8 and compile it and not be vunerable, so thats not stopping them.
The question was simple, based on this fact: Red Hat can either release an updated sendmail package for the beta, or not. If they do, the updated package can be thoroughly beta tested (interacting with the other packages) before final release. If they don't, either the vulnerable sendmail package will be in the final release, or an updated but untested sendmail package will be released. The question (of those to whom it was addressed) was which of these should Red Hat do.
The patches will have been tested internaly at redhat before shiped out as an update for rh 7.2/7.3/8.0. (i'm sure they have quite a host of regression & stability test suites at their test labs; So do their partners such as Dell, Sun, IBM and so on). Secondly redhat has a lot more 'closed' beta's then open beta's, so chances are they have already been tested there to. Lastly, the patches have been applied by all linux (and win/unix sendmail using) vendors, so i would think they are very, very well tested in the end.. much more so then a phoebe update would ever, ever do; And a much wider range of 'interacting with other programs' has been tested then just a single redhat release..
So to me it seems obvious to me that the updated version will be included, and will have seen a lot of testing, both in test labs, user groups and in production use. Taking that statement, maybe you can understand my somewhat suprised reaction at your sugestion that rh could ever ship a known-vunerable sendmail package
P.S. I think it's great that you compiled the errata into a package; it will
prevent vulnerable beta machines.
I just wanted to defuse the argument that every beta machine 'is now vunerable' With this, and with the openssl updates, it is fully posible to take the rh8 erata updates and compile them for phoebe (or forward port the fixes). If your unable to do so, maybe a beta is not where you want to be (or should be willing to carry the risk that comes with it). If your unwilling, but are playing devils advocate, then your only anoying people and not contributing to the communities well-being
Thanks for the reply and for calling me on the inapropiate tone of my reply
-- Chris
-- Phoebe-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/phoebe-list
