On Sat, 22 Oct 2005, Jim Popovitch wrote: > Nils Breunese (Lemonbit Internet) wrote: > > > > Why would anyone who has updates enabled not want legacy updates to be > > enabled? > > From my perspective, I want to know *who* the updates are coming from. > In the case of Redhat updates, I know that there are ISO-9001 > procedures and policies in place as well as corporate oversight and more > importantly corporate responsibility (from a legal point of view). From But we are no longer talking about Red Hat or for that matter Red Hat Linux. We are talking about Fedora. Yes, I know Fedora is sponsored by Red Hat but they are not the same. > FL you generally (if not universally) get good updates, however do you > really really know what was in that last ssh update that you got? While Are you telling me you have never had a bad update from Red Hat? Unless they were to do something on purpose I doubt you would ever get more out of them than a fixed update, which is the same thing you would get from FL. > I am not so paranoid to automatically suspect everything I download, I > am paranoid enough to try and understand the origin of what I download. > > So... > > 1) what server should be used as the default update server > for out-of-the-box updates? > 2) what policies, purview, scrutiny should that/those server > operators be put under and who will take responsibility > for enforcing this? > 3) what legal disclaimers, and by what means, will alert > newbies that they are no longer getting official Redhat > updates? They are not getting "official Redhat updates" now. There is no such thing. If you are really thinking about all of the above and paying attention then the change will have no impact on you. You will be on top of things and all is well. What happens to the poor guy who was not paying attention when the FC EOL occured? That same guy that thinks his system is still being updated daily. A remote exploit for ssh gets released in the wild. Now his system is compromised and as far as he is concerned FC is crap, because he has all of the latest updates installed. > Currently all three of the above issues are addressed individually by > users who manually configure their systems. This action is so user > intensive (visit website, cut-copy-paste yum.conf, download and install > yum, etc) that it isolates FL from legal responsibility. All FL has to > do to protect itself is not intentionally post malicious code or > instructions. OK, so how do you help keep the noob that has just installed FC3 from having an un-updated system on the net? Yum comes as a part of Fedora. The Fedora repos are enabled by default once you enable yum. I do not think it is unreasonable to push an update to yum with the FL repos enabled to help protect some noob who just installed FC3 and has not figured out all of the ins and outs of yum. I agree that the policy needs to be well published but I think that enabling the FL repos at FC EOL time is one way to help protect the noob from him/herself. IMO most people who would be upset by enabling FL repos at FC EOL time are savvy enough to turn off the FL repos. I do not think the opposite is necessarily true. Regards, Tom Diehl tdiehl@xxxxxxxxxxxx Spamtrap address mtd123@xxxxxxxxxxxx -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
