SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I see plenty of people in the extended Slackware community with opinions on this subject, but I don't see that any of the people who are worried are actually *doing* anything. If we are in fact a community that is supportive of Slackware and the team who bring it to us, and if we want to say thank you to them in a practical way, then maybe we can help:
I think that many users would be happy to do what you suggest if their work went back into the distribution. This is the way "collaborative" projects (like Debian, Fedora, etc.) work: you do some work, you become a developer and your contributions become part of the distribution.
If someone installs Slackware and doesn't read the license, it's his fault only to do so.
The license provides no information about security policies, just an "If it breaks, you are on your own". However, the fact that there is a mailing list for security advisories can make people think that there is a working security team, which is not.
Quote:
What misinformation?
Misinformation about which fixes will be ported, how will they be ported, why, when. The fact that many security fixes will not be applied because upstream hasn't, compilation is hard or because of other factors is not widely known. Misinformation of when a critical security bug won't be fixed in an old version because the patch fails to compile. Misinformation about why binary blobs are never placed in the /patch directory even when they contain exploits that are being used in the wild. And that was when the security service was working.
And my favorite. Misinformation about what happened to the community fixes that were provided when Patrick was ill and could not provide them by himself. Were they merged with the Slackware tree, or there were steps taken to fix the related vulnerabilities in the official distribution? No.
Quote:
If we are in fact a community that is supportive of Slackware and the team who bring it to us, and if we want to say thank you to them in a practical way, then maybe we can help
It has happened in the past (read above). As far as I know, fixes were not included in Slackware's tree.
Do you want -
(1) to work with other people to make your systems secure; or,
(2) to do nothing, and complain about not being given enough love in ancient history?
Actually, I think we already have enough data to answer that question.
Do you want -
(1) to work with other people to make your systems secure; or,
...
You can't just start producing updated packages and expect users to install them without having an oganization, standards, policies, etc. and without being officially recognized. Why should users trust you (or me or anyone else) ? And what happens to your/our packages when the official Slackware updates appear?
I'm not suggesting that anyone should distribute binaries. I'm suggesting that people should make posts exactly like Ponce's, which say, "It appears there's a realistic openssl vulnerability and an upstream release that corrects it; if you use Pat's SlackBuild to build it yourself, it seems to be ok"
Quote:
Originally Posted by fgcl2k
And what happens to your/our packages when the official Slackware updates appear?
If you use 'slackpkg upgrade', they will be replaced, which is exactly how it should be. Duh.
I'm suggesting that people should make posts exactly like Ponce's, which say, "It appears there's a realistic openssl vulnerability and an upstream release that corrects it; if you use Pat's SlackBuild to build it yourself, it seems to be ok".
Actually it said:
Quote:
I tried to update to openssl-0.9.8s with the -current slackbuild and it seems to have not broken openssh
Not something you would install on a production server at work (where security patches are most needed), for example, and sleep well. Although I respect people working to help others, this type of uncoordinated effort is not what is needed for security and updates to the base system, IMHO.
If you look at that long list of "vulnerabilities" there are actually very few that have any relevance to Slackware at all. Don't get all excited. As long as nobody updates that Google Doc with "this applies to Slackware version X and was not fixed there" I do not take it too seriously.
I tried to update to openssl-0.9.8s with the -current slackbuild and it seems to have not broken openssh
Not something you would install on a production server at work (where security patches are most needed), for example, and sleep well. Although I respect people working to help others, this type of uncoordinated effort is not what is needed for security and updates to the base system, IMHO.
what will be needed, in your opinion?
remember that you're the only one in charge for the security of your installs at work, not Pat or a third party that publish advisories/fixes.
I tried to update to openssl-0.9.8s with the -current slackbuild and it seems to have not broken openssh
It works too under Slackware x86_64.
Quote:
I think you're referring to *lack* of information. *Misinformation* is *bad or wrong, or misleading*.
Thank you for pointing this out.
Quote:
You can't just start producing updated packages and expect users to install them without having an oganization, standards, policies, etc. and without being officially recognized. Why should users trust you (or me or anyone else) ? And what happens to your/our packages when the official Slackware updates appear?
Users have no particular reasons to trust you (in fact, I like SlackBuilds because it allows you to build from the original source if you track it down). The problem with comunity a effort is that a) it is not official and b) your packages wonīt be merged whith Slackware when the storm is over.
Quote:
If you look at that long list of "vulnerabilities" there are actually very few that have any relevance to Slackware at all.
Correct, most vulnerabilities donīt affect Slackware or are of little impact. However, you have to think no hard if you wanīt to find worrying cases. The latest Firefox release fixes many problems tagged as "Critical" that are related to GNU/Linux, for example.
I suggest opening a sticky thread were new vulnerabilities and solutions could be discussed.
An official security team. I understand that this is not the way Slackware works, of course; I don't blame anyone, it's a matter of choice.
Quote:
remember that you're the only one in charge for the security of your installs at work, not Pat or a third party that publish advisories/fixes.
At work nobody will blame you if you install an official security update and things go wrong but you will be blamed if you install and update which "apparently" works and "maybe" doesn't break other programs. I don't have time to scrutinize every single line of code which goes into the system; I prefer to put the blame on someone else, if possible :-)
An official security team. I understand that this is not the way Slackware works, of course; I don't blame anyone, it's a matter of choice.
At work nobody will blame you if you install an official security update and things go wrong but you will be blamed if you install and update which "apparently" works and "maybe" doesn't break other programs. I don't have time to scrutinize every single line of code which goes into the system; I prefer to put the blame on someone else, if possible :-)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.