Announcement

Collapse
No announcement yet.

Fedora Might Start Dropping Packages With Consistently Bad Security Records

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora Might Start Dropping Packages With Consistently Bad Security Records

    Phoronix: Fedora Might Start Dropping Packages With Consistently Bad Security Records

    Fedora's Engineering and Steering Committee is mulling over the idea of dropping software packages from the distribution that have notoriously bad security track records...

    http://www.phoronix.com/scan.php?pag...rious-Sec-Pkgs

  • Weasel
    replied
    Originally posted by wizard69 View Post
    In the end we might lose a handful of apps which is a small price to pay to get decent auditting.
    Nobody forces you to install "unmaintained" apps if you don't want to. Yet you think it's a good idea to prevent anyone, even those who don't care, from doing so. Funny.

    Leave a comment:


  • cybertraveler
    replied
    Originally posted by wizard69 View Post
    The key here is the lack of maintenance. If an app is no longer supported in a timely manner it is a security risk.
    Exactly. One reason I have told people in the past to avoid Internet Explorer, Adobe Reader and Adobe Flash, is not because there are frequently security vulnerabilities found in this software (there are), but because the vendor is often very slow to fix those vulnerabilities. Conversely, I often recommend Firefox even though there is a constant stream of vulnerabilities found, because Mozilla are reasonably quick to fix those vulnerabilities.

    Leave a comment:


  • Anvil
    replied
    Originally posted by cen1 View Post
    How about you let me install whatever I want and as much as I want? Fedora needs more packages, not less.
    problem with that, PREVIOUS packagers ARE LEAVING THE dISTRO, EITHER TO ANOTHER dISTRO OR JUST NOT ENOUGH TIME ANYMORE, PEOPLE HAVE REAL paying JOBS SO THAT COMES FIRST BEFORE free open Source STUFF DOES which is probably why FlatPak has been introduced so people dont have to wait for Package Maintainers to update the Package

    Leave a comment:


  • wizard69
    replied
    in my mind im thinking what took so long! This is somethinh i expect fro a distro


    Originally posted by duby229 View Post
    Oh good, how soon do they plan to remove Gnome Shell then? Or xorg? Or mono? Or -every- web browser?
    The key here is the lack of maintenance. If an app is no longer supported in a timely manner it is a security risk.
    EDIT: The point I'm making is that they just made a blanket statement that they cannot possibly achieve,
    What blanket statement? Nothing of the sort was stated.
    or else they would not have functional repository.
    Baloney! There is a huge difference between code that is actively maintained vs code no longer supportted.

    There seems to be some negativity here in this thread but frankly this is what i expect out of a distro and that is at least some attention to security. By the say this doesnt stop anybody from installing dodgy code themselves. It does make you responsible for security breached and questionable code.

    In the end we might lose a handful of apps which is a small price to pay to get decent auditting.

    Leave a comment:


  • hikingpete
    replied
    Originally posted by cybertraveler View Post
    I think it would be better for their users to keep the vulnerable packages, but...
    Essentially this mechanism already exists. It's already used for non-free software. rpmfusion is the standard repository for non-free software that Fedora users want to use. Adding a repository to enable access to unmaintained software seems to be a reasonable approach.

    Leave a comment:


  • cybertraveler
    replied
    I think it would be better for their users to keep the vulnerable packages, but inform the users of current and historical vulnerabilities. This means the user still has the choice.

    Their software centre program could provide this information.

    For command line packages they could encode an extra field in the package labelled something like 'vulnerable'. If it is true, it would require the user to interactively confirm installation (having seen a warning) or non-interactively pass in a switch like '--allow-vulnerable-packages'.

    Leave a comment:


  • Weasel
    replied
    Originally posted by RahulSundaram View Post
    That doesn't make much sense. You cannot read every proposal made to the project as a statement by the project. Anyone is allowed to file a ticket with a proposal at any time.
    Well most people think open source projects are a hive mind. Unfortunately, this includes Michael in many cases, or maybe he just does it for clickbaits (can't blame him there, he needs that ad revenue).

    Leave a comment:


  • RahulSundaram
    replied
    Originally posted by duby229 View Post
    Oh good, how soon do they plan to remove Gnome Shell then? Or xorg? Or mono? Or -every- web browser?

    EDIT: The point I'm making is that they just made a blanket statement that they cannot possibly achieve, or else they would not have functional repository.
    That doesn't make much sense. You cannot read every proposal made to the project as a statement by the project. Anyone is allowed to file a ticket with a proposal at any time.

    Leave a comment:


  • chithanh
    replied
    Originally posted by duby229 View Post
    Or -every- web browser?
    When Fedora drops Chromium (new high-severity security bugs are found in each release), I guess they can also throw out the bundled software exception which was introduced specifically for that browser. Making their users more secure in the process.

    Leave a comment:

Working...
X