Hi,
recently I came across the hackpcweek.com issue,
and the did not apply the crond exploit fix, since they
"only install shipping software", and were not willing to install
21 different fixes ( from the redhat errata).
But they installed Service Pack5 on NT, since it was one single file to install.
Their reason of not installing the 21 RH updates, was that in a big enterprise,
installing 21 on hundred of machines becomes unmanageable.
I agree with this and RH should provide an idiot-proof method to keep
your box to the cutting-edge security status.
The ideal would be to have a little client on every RH distro shipped which ie
polls the REDHAT's central webserver (or maybe a custom server, the protocol
doesn't matter here), and retrieves information about which rpms have to be
updated, with flags describing the security urgency.
At this point the client compares the versions of the local installed packages,
and detects the ones which have to be updated.
Then you could choose to let the client send email to the sysadmin,
containing the rpms he has to update,
and in the case of a large enterprises (or joe average home user) the admin
could choose an "AUTOMATIC MODE" , where the client does the download and
upgrading of the rpms.
It would be useful to specify the behaviour of the updating-client,
( manual mode (email notification) / automatic mode (automatic upgrading +
notification) at install time, to allow unexpecienced people to set it as
default.
Of course some critical packages, like kernel upgrades require the machine to
be rebooted in order activate the changes.
In this case the "upgrading-wizard" should interactively ask the user what to do
(and warn about potential problems etc.)
The upgrading client should as default only upgrade packages which do have
security-related problems, to keep the network load of ftp-servers low.
Non security-related updates could still be announced interactively by
rhe client or sent to the local admin.
Such a solution would save TONS and TONS of troubles,
and even the dumb PCWEEK people could not cheat ,by not installing the
latest security fixes.
Consider the fact that Linux has a big advantage over Windoze in terms of
upgrading on the fly because of most things you haven't to reboot.
That means if there are only minor upgrades like the crond update,
you can do this without reboot.
( try to install SP5 on NT without rebooting .... :-) )
comments ?
PS: I heard that RH 6.1 will have some upgrading features over the internet,
could someone tell us more about this ?
regards,
Benno.
--
To unsubscribe:
mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
