Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Patch management tool - a rethink
From: "J. Oquendo" <sil () infiltrated net>
Date: Thu, 9 Sep 2004 18:13:15 -0500 (EST)

// Hi,
// The below said points are valid in the case of Linux. There is no
// concept of Registray in the Linux. RPM has its own database. If one
// installs software through RPM installer, then one can obtain the
// package information about what is installed or what is not installed.
// If anybody downloads the source code  of a software and compiles and
// installs, then no way one can patch automatically. This argument is
// valid for all
// Linux Distribution.

Problem with Linux is the cross flavors and overall distro/developer
zealotry which would make this difficult if not impossible. apt-get, rpm,
yast, and countless others. Where would the core components lie, and is
that only adding another layer of crap. Why would say the developers at
SuSE adapt to a single installation program such as RPM when they've
developed their own, as have others.

// The one way to overcome these difficulties is in bringing of "Registray
// concept", where all the installed packages information is stored.  We
// have tried to explore this option very seriously. It is very nascent
// stage. We have made some progress on this.

"Registray" would not work as admins, users, and who know who else would
likely be installing via compilation who knows what via sources like
Sourceforge, Freshmeat, etc., so who is any _one_ distro developer to tell
another program developer "You'd better make that program into an RPM or
else..." Or else what? What about the administrators who enjoy hacking
code to their own likes? Who would be any developer to tell someone
else "You'd better not look at the code and instead opt to trust an RPM
package or else..."

Program on this you've made? In accordance to whom, what standard, what
^[aA-zZ]*INSERT_ENGINEERING_GROUP_HERE* have you made progress through.
Have some forgotten not too long ago FSF servers were infiltrated? Who's
to say damage hasn't managed to remain somehow hidden in the cracks? I
certainly wouldn't want to take a developer's "Because we say this package
manager is better" word for it on my personal machine, do you think it's
wise to do so at a corporation?

J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"

Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]