[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Tripwire Segmentation Fault error...



Hi,

Am Mo, den 26.01.2004 schrieb suse@xxxxxx um 21:03:
...
> I took the 8.2 rpm and just installed it, no force or nodeps flags required.  It
> works on every server I've installed it on.

Fine. So how long did that take you? 10 minutes?

> Sure, it's great and all to have all everything compiled exactly the same and
> binutils happy and all that.  That's a goal.  However, 9.0 was released MONTHS
> ago.  There is a certain point where you say "Use what works".

I understand your point. What I don't understand is this obvious
"hostile" tone towards the SuSE people. Especially since there _is_ a
workaround here. If there wasn't an easy way to run tripwire on SuSE 9.0
then I'd say: "Hey. You're right. Screw them." But that's simply not the
case here.

> They don't need to abandon figuring out why tripwire does work or fixing it.  It will need to
> be done for the next release anyway.  Taking your time BEFORE a release is a
> laudable goal.  After release, it's time to get things WORKING.

Remember that Tripwire may be an essential tool for you and me but 99%
of SuSE users certainly never heard of Tripwire. So shipping SuSE 9.0
without it is perfectly reasonable. After all, SuSE is a company bound
by markets. If you can't live with the pressure companies face regarding
release cycles then use Debian instead. In fact, I believe that's one of
the main reasons why Debian stable is so popular.

> In order to get tripwire to work, I have to manually install it.  That's
> ANNOYING.  The whole point of a distribution is so I don't have to install
> basic packages one by one.  Tripwire is a basic requirement for any server.

See above. The "basic" installation comes without Tripwire. It is an
extra, a bonus. It does not belong to the default installation. I
totally agree with you that I wouldn't run any server without it, but
hey, since when does an operating system has to come with everything you
need? Certainly there is more than one software item that is missing in
SuSE, that you have to get somewhere else and install yourself?

> And, to be perfectly blunt, docilely sitting there and saying "Oh, well, I guess
> you can try aide or something..." is absolutely the wrong attitude to take.  
> If suse doesn't think we care about tripwire, guess what?  They probably won't
> either.

Well, SuSE certainly won't be motivated by "hate" mails, _demanding_ the
immediate release of something.

> Look back through the posts to suse-security, every time someone asks for advice
> on setting up a server, you'll see tripwire on the list of necessary items
> every time.

Maybe that's because this is "suse-security" and not "suse-linux"?
People subscribing to this list have different needs and even more
demanding attitudes. But that doesn't mean that they have to talk rude
when there _is_ a perfectly good workaround to a problem that doesn't
affect the default installation.

> It's downright embarrassing that they still don't have a working
> package.

There is a working package. It's just not included in the 9.0
distribution by default. If you setup a server with a brand new
distribution you have to take such risks. Nobody forced you to use 9.0.
You could as well have used 8.2. In fact, before I use a new
distribution for critical missions I usually wait a couple of weeks
maybe even months and watch the security announcements and bugfix
releases. When I decide that is has everything I need I buy it. Not a
day before that. This strategy works perfectly with SuSE since they
support their older distributions a long time. And THAT'S one of the
main reason for SuSE ;-)

I agree that this has to be fixed. But it really isn't an urgent matter.

> I'm only harping on this becuase I care.  If I didn't give a damn, I'd jump to
> Debian.  SuSE has been good to me on every single other issue.  I want SuSE to
> be even better.  And putting the 8.2 tripwire package into the 9.0 tree as an
> update would make my life easier, and I doubt I'm the only sysadmin running 9.0
> servers out there...

I really understand this. But I think you are playing this a little too
hot here. Cool down.

kind regards,
Tobias W.


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here