Maybe adding some filenaming scheme, that addresses backported security fixes, might be an easily identifyable mark that users will get accustiomed to. Instead of naming the rpm as 1.1.3, when the most part of errata warnings point to this version as a security risk. Maybe adding something like 1.1.3.bp-sec.rpm. This would still let the user know that it was addressed with the secrity patch, but is still a few versions behind the mainstream program version that are out there.
If the whole reason that a program was upgraded to the newer versioning, then the newer version number would be the better method to address the upgrade. Jim ------------- Michael Schwendt wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, 14 Mar 2003 05:55:45 -0500 (EST), Mike A. Harris wrote: > > > On 13 Mar 2003, Philip Wyett wrote: > > > > >No, the version in AS is 1.1.3 and until someone updates the rpm to say > > >it's 1.1.4, it is 1.1.3. So they maybe back ported the fix, but there is > > >no direct info related to AS that says it has the fix and it is not an > > >AS users job to go search other RH versions errata or checking the 1.1.3 > > >source rpm or rpm --changelog and seeing if the issue has been > > >addressed. > > > > The 1.1.3 RPM will not be updated to say it is 1.1.4 because it > > is not 1.1.4. Red Hat RPM packages, in addition to containing > > the version of the software that is indicated, contain various > > bug fixes, security fixes, enhancements and other patches that > > are a part of the OS engineering process. > > Unfortunately, this versioning scheme and lack of knowledge of Red > Hat's back-porting efforts are the source of a common misconception > among fussy admins as well as home users. > > Although I'm familiar with the methods, I would not mind if *every* > security advisory from Red Hat pointed out when an erratum contains > a back-ported fix and therefore remains at a lower version number > than suggested by the software vendor. > > Because vendors' security advisories find their way onto the News > web sites. And people read such security news more carefully than > Red Hat's advisories. IMO it is not uncommon, that when they read > they are recommended to upgrade to the latest version of software > XYZ, they get the tarball. Or someone with lack of insight examines > the company's web server with e.g. "wget --server" and complains > that an "old" version of Apache, which contains vulnerabilities, > is running. It's the source of unfortunate misunderstandings. Even > adding a timestamp to a version might help. > > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE+chNF0iMVcrivHFQRAoGfAKCA1vHhsPL0Ptr0ekkBdcml3OjVxgCcDIg2 > Xfmyb9BlteP0eGNf+PqlrZ8= > =qzKn > -----END PGP SIGNATURE----- > > -- > Phoebe-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/phoebe-list -- Democracy is a form of government that substitutes election by the incompetent many for appointment by the corrupt few. -- G.B. Shaw -- Phoebe-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/phoebe-list
