Scott Silva wrote:
>
> on 2/13/2008 7:44 AM nate spake the following:
> > Ross S. W. Walker wrote:
> >
> >> The agencies don't know what security backports vendor XYZ
> >> has implemented and frankly they don't care. All they have
> >> is a list of minimum version numbers that software must be
> >> at in order for it to be deemed "compliant".
> >
> > So check the actual version number of the package. Using a remote
> > network software scanner to detect security problems based on
> > banner strings provided by the network software is nothing
> > more than a false sense of security.
> >
> >> I think we will start seeing this in the PCI and HIPA
> >> compliance regulations first, but I wouldn't be surprised
> >> if it leaks out into GLBA and other regulations over time.
> >
> > The scanning vendors will be forced to fix their products. It's
> > perfectly acceptable, and preferred behavior to backport patches.
> > Just look at the recent Samba thread here for a good reason
> > why backporting is good. I'd be mightily pissed if RHEL or
> > CentOS switched a version out from under me which caused breakage.
> > I honestly cannot believe that RHEL did that for Samba. If
> > anything introduce a new ALTERNATE package that has the
> > incompatible changes in it and allow users to choose between
> > that one and the original for their systems. That's just me though.
> > Fortunately I don't really use Samba.
>
> Wasn't the samba issue something that was fairly critical,
> but just couldn't
> be backported?
Yeah, it was a decision whether to keep samba at the same
version but with Windows 2003/Vista incompatibilities or to
up the version knowing it can break customers setups.
Difficult decision, but every now and then all vendors have
to make at least 1 controversial decision. Besides what good
is a Windows compatibility layer that isn't compatible with
the latest version of Windows?
-Ross
______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
