On Wed, 2005-02-16 at 08:49, Dennis Peterson wrote: > Dörfler Andreas said: > > the versioncheck for zlib isnt the best. > > suse for example fixes the security hole > > in 1.2.1 with patches and not with a installation > > from a new version. > > forget the warning. > > > > Sounds like suse has introduced a configuration management anomaly. How > much running around looking for such anomalies do you think these fine > developers should do for free? > > Damn, but this has been a week of whiners. This software hasn't a brain, > people, use your own. >
Nobody is whining here Dennis. I was asking a question about what the zlib warning was all about. The 3rd party SRPM requires zlib 1.2.1.2 which is the latest available for FC3 (1.2.2.2 is in Rawhide). The zlib homepage doesn't mention anything about 1.2.2 (you can download it if you manually change the download URLs). From the zlib ChangeLog I can't see anything important that would make 1.2.1.2 any less accetable than 1.2.2: Changes in 1.2.2 (3 October 2004) - Update zlib.h comments on gzip in-memory processing - Set adler to 1 in inflateReset() to support Java test suite [Walles] - Add contrib/dotzlib [Ravn] - Update win32/DLL_FAQ.txt [Truta] - Update contrib/minizip [Vollant] - Move contrib/visual-basic.txt to old/ [Truta] - Fix assembler builds in projects/visualc6/ [Truta] Java test suite? Assembler builds on VC6? Not applicable. 1.2.1.2 is the version where all the nasties were fixed. Something may have been changed in 1.2.2 which as left out in the ChangeLog of course, but if it was that important that's not very likely. "The software doesn't have a brain" alright, but it would be a lot more helpful if that warning actually stated what the possible problem was. (CAN-2004-0797 for instance?) SuSe/RedHat have not introduced any CM anomalies. Standard procedure is to patch bugs and release updated packages with an increased package version number. When/if the patch is accepted upstream it is removed from the package, and a new package is built with a new version number including the upstream fix. SuSE/RedHat obviously can't bump the version themselves just because they patched a bug, and they can't sit around and wait for security/bug patches to be incorporated upstream all the time. That said, nobody is complaining that the ClamAV developers aren't running around checking exactly what patch set people have installed. Andreas was just pointing out that the 1.2.1.2 in SuSE has already been patched, and I have nothing to worry about if I run SuSE. The same is the case with Fedora (I've checked now that I think I know what the worry is). That was helpful, thanks. Regards, -- Tarjei _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
