On Mon, 18 Jan 1999, Scott Bronson wrote:
> However, in doing so, I believe that SuSE has an obligation to keep
> their RPMs up to date. Currently, they are not. Therefore, I have
> resorted to installing new software using Red Hat RPMs. I could install
> the tarballs, of course, but I find that installing RH RPMs on SuSE is
> easier (most of the time it just involves a symlink or two).
I don't think staying current is easy. I think for them to do it they'd
almost need someone committed to just doing that, given the fast turn
around of apps in Linux, which are updated, ugraded, changed, etc faster
than any other OS, I've seen. I think the closest they might get is
contributions to the contributory archive, and even then that opens up
other potential problems... I think people that complain about the lack of
current RPMS are underestimating the massive task of staying current in an
OS with such a quick turn around time.
Contributory archives are o.k. But I only think it'll work in exchanging
things between people with Stock systems. Many of us have non-standard
systems. For instance, if I build a gtk+ app and upload an RPM for it
but my gtk+ is not stock gtk that came with S.u.S.E. then the app may not
install or work right on someone with an older gtk, so to add contributed
stuff, you'd have to be _real_ concerned about dependency issues and run
time neccessities. Especially with apps with massive dependency issues
like Gimp, or Gnome.
I still think if you want to stay current you have to roll some of your
own stuff. I don't see ANY dist being current and keeping up with all the
daily stuff that's happening all the time in Linux, especially since RPM,
unlike tar.gz's source builds takes alot from the idea of system homogeny.
> I find this lack of attention from SuSE a little frightening. I've been
> using rufus.w3.org since SuSE says nothing about new RPMs (only bug
> fixes) on their web site, and most of the SuSE RPMs there are already
> out of date.
No dist is current that I've seen. I think debian seems to be more current
than S.u.S.E. or RedHat, at least this is what I've heard. Even with the
RedHat RPMS many are 'contributed' RPMS that aren't neccesarily
'sanctioned' by RedHat, so you use at your own risk. Whenever an RPM is
glibc or in RedHat's contributory archive, people call them 'RedHat' RPMS,
which isn't quite accurate really, is it? And why the heck do people
assume that these RPMS are 'safe' anyway. Where'd that come from? Who
checks them out and makes sure they don't have issues? Most of them are
'use at your own risk'.
> There have already been tarball trojans. Nobody reads every line of
> source before they make install. Few people even scour the makefile.
> As always, caveat installer.
Yes, and they are fairly easily to inquire. But, anyone that can roll RPMS
can do the same thing with RPM. It's neither safer or less safe than
tar.gz.
> My guess is that PGP/MD5-verified RPMs from Red Hat and SuSE will never
> have trojans--both companies are very good about the software they
> pick. If they do mistakenly ship a trojan, you can bet their customers
> will hear about it and the fix very quickly.
Why does everyone think Linux is a secure os? I don't see why we should
make this assumption. As things stand trojans are possible in RPMS _and_
tarballs, and I'm surprised there aren't more announced security
problems than there are. How hard would it be for someone to post a
'mirror' site of some real linux sites, to 'help with overload' and put up
recent copies of shell utilities or other neccesary programs in tarball
or RPM format with hacked code? Not hard at all. In some ways I think open
source has a draw back in that although it helps development it leaves the
door open for lots of mischief. It amazes me that there aren't more
trojan incidents, and that people think Linux is secure. At times I think
Linux is less secure than other brands of Unix.
Does anyone think Linux is more secure than say Solaris or HP-UX? If so
give me your reasons why? ( Most will say that bugs are discovered and
fixed faster because of the openness of developement. I say, that the
openness of development makes it also easier for a malicious coder to play
nasty tricks with the code. To me it's a catch 22 at best, a false sense
of security, at worst.)
Scott's right about PGP verification.
-M
-
To get out of this list, please send email to [EMAIL PROTECTED] with
this text in its body: unsubscribe suse-linux-e
Check out the SuSE-FAQ at http://www.suse.com/Support/Doku/FAQ/ and the
archiv at http://www.suse.com/Mailinglists/suse-linux-e/index.html
