On Mon, Apr 11, 2005 at 08:34:23PM +0100, Chris Kenward wrote: > Hi Reuben > > > He is using RHEL 3. The openSSH package contains the necessary > > security fixes / backport. I would really recommend that he > > keeps using Redhat supplied package rather than installled his > > own version of SSH. > > Thanks for that - I was just about to go make those changes when I read your > post. Don't go blindly making changes like this without researching the implications. You don't know any of us here and occasionally some posters will give out bad advice (I've even been known to be wrong once or twice). I guess that's the whole idea of buying the RHN versions of these > packages, so that we are pretty sure they have been patched to stop the > holes? Exactly. Every package you replace from Red Hat's distribution puts you farther and farther from a stable, supported operating system release unless you're going to be watching for all the fixes for every one of those packages and understand *exactly* how fixes are going to be handled by the upstream providers. Red Hat's policies for fixing security holes are different than other providers. Red Hat won't, unless absolutely necessary, break binary compatibility within a release. In other words, they'll backport the fix so that every other package still works without changes. Other providers simply give you the "latest and greatest" and you may need to re-compile other application or in some cases update the code. ssl is a very good example of this. In short, you're paying Red Hat a lot of money to give you a stable and secure set of packages. Don't replace them blindly. -- Ed Wilts, RHCE Mounds View, MN, USA mailto:ewilts@xxxxxxxxxx Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
