On Thu, Nov 17, 2011 at 5:42 PM, Markus Falb <wne...@gmail.com> wrote: > > On 16.Nov.2011, at 08:58, Ohad Levy wrote: > >> On Wed, Nov 16, 2011 at 6:30 AM, Jo Rhett <jrh...@netconsonance.com> wrote: >>> On Nov 9, 2011, at 5:47 AM, Ohad Levy wrote: >>> >>> Ruby 1.87 support >>> Foreman 0.4 would be the last major version supporting Ruby older then 1.87. >>> This has to be done since the upstream rails community no longer >>> supports older versions, which means that critical security patches >>> are no longer available if we keep supporting that. >>> >>> if required, we would release 0.4.x maintenance releases, but since >>> ruby 1.87+ is available on most distribution these days, you are >>> encouraged to upgrade. >>> >>> No distribution based on RHEL5 has a supported version of ruby other than >>> 1.85 AFAIK. It's pretty much a roll-your-own-RPM for 1.87, and that's not >>> possible for most sites. >> >> The way I see it: >> >> Don't upgrade to ruby 1.87 ==> known security holes that could exploit >> your foreman server (impacting everyone). > > This is not how RHEL works! > The version stays the same all 7 years of lifetime of the distribution but > they are backporting security relevant stuff. Therefore you can not tell from > the version number if software is vulnerable. Actually, one can expect, and > this is what one pays redhat for, that there are NO security holes in their > ruby packages.
Trust me, I know, I work for redhat. if its not clear, what it means, is that if you want to run it on RHEL5, you can either keep running the current 0.4.x versions or upgrade your ruby stack. otherwise use a more recent distribution. I've tried very hard to make foreman accessible to as many distributions as possible, and as i look at foreman becoming important piece in the infrastructure puzzle, I can't ignore security issues. Ohad > > Please see https://access.redhat.com/security/updates/backporting/ > >> Upgrade to ruby 1.87 ==> Pain of migrating foreman to a newer >> distribution (impacting only a subset of the users)** >> >> We are also planning to have a maintenance release in the 0.4.x >> versions, so critical bugs (and probably less than critical) would be >> fixed there as well. > > Fine, btw. regular RHEL 5 lifecycle ends on March 31, 2014 > https://access.redhat.com/support/policy/updates/errata/ > > Best Regards, Markus > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To post to this group, send email to foreman-us...@googlegroups.com. > To unsubscribe from this group, send email to > foreman-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/foreman-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
