From: Simon Matter (no email)
Date: Thu Nov 08 2007 - 17:03:38 EST
> On Thu, Nov 08, 2007 at 07:36:24PM +0100, Simon Matter wrote:
>
>> It may not be worth for you to worry about it but it is worth for me and
>> maybe also for Ken. People using my RPMs expect things to work. And
>> people
>> do use it on affected systems and they fill my mailbox or the list with
>> complaints if Cyrus segfaults for them.
>
> People using RPMs can just install the security updates just as easily
> as a new Cyrus RPM. The Red Hat advisory said a patch is available even
> for Red Hat 7.1; are you still actively maintaining packages for Red Hat
> 6.x?
RedHat 7.x is the lowest version where the package builds (which is also
RHEL 2.1 level). But I don't know why this bug should have been fixed in
RedHat 7.1, it has never existed there! What I know is that it has never
been fixed in Fedora Core 1 and never been fixed in RedHat 9 (it has only
been fixed in RedHat EL3). Both platforms are still widely used, believe
it or not. Need examples, check out on which platforms the Slashdot
webservers run!
>
> And what is better? Hiding the problem under the carpet, or saying "See,
> you have a security bug that is known for 4 years. If you have a bug
> that old you probably have lots of other unfixed security bugs as well.
> Go fix your system!". If you do care about the users, you should educate
> them to always install security updates.
That kind of thinking is part of the problem. I can't teach other people
to take security serious but at the same time release an RPM package which
segfaults on their systems. That way I make myself part of their problem.
Simon
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|