On Thu, Jul 08, 2004 at 12:21:25PM +0200, Phil Knirsch wrote: > seth vidal wrote: > >So, would it be completely inappropriate to nominate ethereal for > >removal from fc3 due to its spotty history of security problems? > The thing is: It is a very very useful tool, even more so imho than > tcpdump. And especially for network debugging it is invaluable. Don't forget, that it's mostly valued on a CD-based install, where you want to debug your not-comming-up network connection. Pointing to an non-CD-packaged external source is not helpful. > So to boil it down, i am between a rock and a hard place here: > > On the one hand, i see the real need and use and benefit of having > ethereal in our products. > > On the other hand, it produces and awful lot of work over time. At the > moment if an ethereal security problem is found i need to do 4 erratas > (AS2.1, RHEL3, FC1 and FC2). In the future this number will mainly only > increase, especially as our enterprise products have such a long lifetime. > > And the point is, for a package that needs to be in our enterprise > products, it is in the long run necessary that there is an internal Red > Hat package maintainer for it. > > I was, am and will be maintaining ethereal and hope we can keep it in > the enterprise product. Should we ever decide to remove it from our main > products i'll gladly step down as package maintainer and hand it over to > someone in the community to take good care of the package. But until > then i don't think it's a good idea. For AS2.1 and RHEL3 you don't have a choice anyway :( But for FC1-FC3 you can skip backporting security fixes and use the same src.rpm/fixed upstream with different disttags (you are not bound to backports in FC). The more overlap there will be between different FC versions, the better the disttag idiom will look like. -- Axel.Thimm at ATrpms.net
Attachment:
pgpah7UviDRb0.pgp
Description: PGP signature
