[nSLUG] General Linux Question

M Taylor mctylr at privacy.nb.ca
Sun Mar 23 14:48:29 AST 2003


On Sun, Mar 23, 2003 at 02:00:21PM -0400, bdavidso at supercity.ns.ca wrote:
> On Sun, 23 Mar 2003, M Taylor wrote:
> 
> > b) you are on your own to ensure your computer system's security,
> 
> Isn't that true for most systems?

On every system you are responsible to ensure your system's security,
but most distros give you more help or make it easier than Slackware.

> > c) I would hate to maintain several Slackware boxes in production usage
> > because of its lack of package management,
> 
> What's so hard about "upgradepkg"?  Sure, it's primitive compared to apt
> and friends, but it's not that hard to monitor slackware-current and use
> the package tool to upgrade.

Perhaps this has changed, and they have keep it quiet, but Slackware
has been in the past terrible about releasing security fixes for the
packages they include. Looking through their ChangeLog for i386,
they issued security announces and fixes for sendmail, samba, cvs, dhcp,
and quietly fixed kernel ptrace, man, openssl, file, and bind. They appear
to have missed security fixes for XDR in glibc, tcpdump, and maybe 
shadow-utils. 

If you have to follow current, you get to take to the good with the bad 
(broken), which sucks for production systems. That's why BSD have
several cvs branches for users to follow.

So Slackware is better than what they were in the past, but still don't
seem to alert users of important security problems (i.e. ptrace and bind),
and are still spotty. The last time I wrote to Patrick Volkerding about
improving this, years ago, he brushed me off. Implying it your own
duty, and he wasn't interesting in making it easier for the user
to keep the system secure.




More information about the nSLUG mailing list