LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 01-18-2012, 06:07 AM   #61
fgcl2k
Member
 
Registered: Jan 2011
Distribution: Slackware 14.1
Posts: 105

Rep: Reputation: 26

Quote:
Originally Posted by 55020 View Post
I see plenty of people in the extended Slackware community with opinions on this subject, but I don't see that any of the people who are worried are actually *doing* anything. If we are in fact a community that is supportive of Slackware and the team who bring it to us, and if we want to say thank you to them in a practical way, then maybe we can help:
I think that many users would be happy to do what you suggest if their work went back into the distribution. This is the way "collaborative" projects (like Debian, Fedora, etc.) work: you do some work, you become a developer and your contributions become part of the distribution.
 
1 members found this post helpful.
Old 01-18-2012, 06:37 AM   #62
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
Quote:
If someone installs Slackware and doesn't read the license, it's his fault only to do so.
The license provides no information about security policies, just an "If it breaks, you are on your own". However, the fact that there is a mailing list for security advisories can make people think that there is a working security team, which is not.

Quote:
What misinformation?
Misinformation about which fixes will be ported, how will they be ported, why, when. The fact that many security fixes will not be applied because upstream hasn't, compilation is hard or because of other factors is not widely known. Misinformation of when a critical security bug won't be fixed in an old version because the patch fails to compile. Misinformation about why binary blobs are never placed in the /patch directory even when they contain exploits that are being used in the wild. And that was when the security service was working.

And my favorite. Misinformation about what happened to the community fixes that were provided when Patrick was ill and could not provide them by himself. Were they merged with the Slackware tree, or there were steps taken to fix the related vulnerabilities in the official distribution? No.

Quote:
If we are in fact a community that is supportive of Slackware and the team who bring it to us, and if we want to say thank you to them in a practical way, then maybe we can help
It has happened in the past (read above). As far as I know, fixes were not included in Slackware's tree.
 
Old 01-18-2012, 07:10 AM   #63
55020
Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 366
Blog Entries: 4

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
Do you want -
(1) to work with other people to make your systems secure; or,
(2) to do nothing, and complain about not being given enough love in ancient history?

Actually, I think we already have enough data to answer that question.
 
Old 01-18-2012, 07:19 AM   #64
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,447

Rep: Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875
I tried to update to openssl-0.9.8s with the -current slackbuild and it seems to have not broken openssh

if I spot something not working with this update, I'll report back
 
1 members found this post helpful.
Old 01-18-2012, 07:34 AM   #65
mrclisdue
Senior Member
 
Registered: Dec 2005
Distribution: Slackware -current, 14.1
Posts: 1,047

Rep: Reputation: 170Reputation: 170
Quote:
Originally Posted by BlackRider View Post
Misinformation
I think you're referring to *lack* of information. *Misinformation* is *bad or wrong, or misleading*.

Not trying to be a nazi, just hoping to clarify....

cheers,
 
Old 01-18-2012, 07:37 AM   #66
fgcl2k
Member
 
Registered: Jan 2011
Distribution: Slackware 14.1
Posts: 105

Rep: Reputation: 26
Quote:
Originally Posted by 55020 View Post
Do you want -
(1) to work with other people to make your systems secure; or,
...
You can't just start producing updated packages and expect users to install them without having an oganization, standards, policies, etc. and without being officially recognized. Why should users trust you (or me or anyone else) ? And what happens to your/our packages when the official Slackware updates appear?
 
Old 01-18-2012, 07:44 AM   #67
55020
Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 366
Blog Entries: 4

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
Quote:
Originally Posted by fgcl2k View Post
You can't just start producing updated packages
I'm not suggesting that anyone should distribute binaries. I'm suggesting that people should make posts exactly like Ponce's, which say, "It appears there's a realistic openssl vulnerability and an upstream release that corrects it; if you use Pat's SlackBuild to build it yourself, it seems to be ok"

Quote:
Originally Posted by fgcl2k View Post
And what happens to your/our packages when the official Slackware updates appear?
If you use 'slackpkg upgrade', they will be replaced, which is exactly how it should be. Duh.
 
Old 01-18-2012, 07:58 AM   #68
fgcl2k
Member
 
Registered: Jan 2011
Distribution: Slackware 14.1
Posts: 105

Rep: Reputation: 26
Quote:
Originally Posted by 55020 View Post
I'm suggesting that people should make posts exactly like Ponce's, which say, "It appears there's a realistic openssl vulnerability and an upstream release that corrects it; if you use Pat's SlackBuild to build it yourself, it seems to be ok".
Actually it said:
Quote:
I tried to update to openssl-0.9.8s with the -current slackbuild and it seems to have not broken openssh
Not something you would install on a production server at work (where security patches are most needed), for example, and sleep well. Although I respect people working to help others, this type of uncoordinated effort is not what is needed for security and updates to the base system, IMHO.
 
Old 01-18-2012, 08:03 AM   #69
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,259

Rep: Reputation: Disabled
If you look at that long list of "vulnerabilities" there are actually very few that have any relevance to Slackware at all. Don't get all excited. As long as nobody updates that Google Doc with "this applies to Slackware version X and was not fixed there" I do not take it too seriously.

Eric
 
Old 01-18-2012, 08:10 AM   #70
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,447

Rep: Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875
Quote:
Originally Posted by fgcl2k View Post
Actually it said:
Quote:
I tried to update to openssl-0.9.8s with the -current slackbuild and it seems to have not broken openssh
Not something you would install on a production server at work (where security patches are most needed), for example, and sleep well. Although I respect people working to help others, this type of uncoordinated effort is not what is needed for security and updates to the base system, IMHO.
what will be needed, in your opinion?

remember that you're the only one in charge for the security of your installs at work, not Pat or a third party that publish advisories/fixes.

Last edited by ponce; 01-18-2012 at 08:15 AM.
 
Old 01-18-2012, 08:20 AM   #71
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
Quote:
I tried to update to openssl-0.9.8s with the -current slackbuild and it seems to have not broken openssh
It works too under Slackware x86_64.

Quote:
I think you're referring to *lack* of information. *Misinformation* is *bad or wrong, or misleading*.
Thank you for pointing this out.

Quote:
You can't just start producing updated packages and expect users to install them without having an oganization, standards, policies, etc. and without being officially recognized. Why should users trust you (or me or anyone else) ? And what happens to your/our packages when the official Slackware updates appear?
Users have no particular reasons to trust you (in fact, I like SlackBuilds because it allows you to build from the original source if you track it down). The problem with comunity a effort is that a) it is not official and b) your packages wonīt be merged whith Slackware when the storm is over.

Quote:
If you look at that long list of "vulnerabilities" there are actually very few that have any relevance to Slackware at all.
Correct, most vulnerabilities donīt affect Slackware or are of little impact. However, you have to think no hard if you wanīt to find worrying cases. The latest Firefox release fixes many problems tagged as "Critical" that are related to GNU/Linux, for example.

I suggest opening a sticky thread were new vulnerabilities and solutions could be discussed.
 
Old 01-18-2012, 08:59 AM   #72
fgcl2k
Member
 
Registered: Jan 2011
Distribution: Slackware 14.1
Posts: 105

Rep: Reputation: 26
Quote:
Originally Posted by ponce View Post
what will be needed, in your opinion?
An official security team. I understand that this is not the way Slackware works, of course; I don't blame anyone, it's a matter of choice.
Quote:
remember that you're the only one in charge for the security of your installs at work, not Pat or a third party that publish advisories/fixes.
At work nobody will blame you if you install an official security update and things go wrong but you will be blamed if you install and update which "apparently" works and "maybe" doesn't break other programs. I don't have time to scrutinize every single line of code which goes into the system; I prefer to put the blame on someone else, if possible :-)
 
Old 01-18-2012, 09:01 AM   #73
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,447

Rep: Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875
that's, unfortunately, is not possible with the way opensource works, lol

if you want that you should switch to commercial unices.

Quote:
At work nobody will blame you if you install an official security update and things go wrong
maybe we work in very different places

Last edited by ponce; 01-18-2012 at 09:22 AM.
 
Old 01-18-2012, 09:06 AM   #74
JimBrewster
Member
 
Registered: Feb 2010
Location: usa:/dev/random
Distribution: Slackware, Salix
Posts: 237

Rep: Reputation: 59
Quote:
Originally Posted by fgcl2k View Post
An official security team. I understand that this is not the way Slackware works, of course; I don't blame anyone, it's a matter of choice.

At work nobody will blame you if you install an official security update and things go wrong but you will be blamed if you install and update which "apparently" works and "maybe" doesn't break other programs. I don't have time to scrutinize every single line of code which goes into the system; I prefer to put the blame on someone else, if possible :-)
They could blame you for not using RHEL or M$!
 
Old 01-18-2012, 09:35 AM   #75
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 7,029
Blog Entries: 52

Rep: Reputation: Disabled
Everybody, run:
Code:
upgradepkg --install-new patience-1.2.34-noarch-1.txz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How do I get the updates and security updates wenall Debian 3 07-10-2011 04:17 PM
what does @updates mean in yum list? rtaft Linux - Software 3 05-04-2010 02:00 PM
Whats the security updates now for the sources.list for etch/Debian? steelheat Linux - Newbie 7 12-15-2007 06:45 PM
urpmi list.Updates zaphod_es Linux - Software 18 10-20-2003 02:48 PM
urpmi list.updates missing zaphod_es Mandriva 7 09-20-2003 04:13 PM


All times are GMT -5. The time now is 03:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration