Discussion:
where? security updates for FC4
Florin Andrei
2007-01-03 22:55:04 UTC
Permalink
Now that the Legacy project is shutting down, the biggest problem
becomes the security updates. I have an FC4 server that I plan to keep
running until CentOS 5 comes out, but I also have to apply security
patches to this machine meanwhile.

What would be the best source of security updates for FC4 short-term?

SRPMs from FC5 or FC6, recompiled? But then there might be some
dependency issues that might get ugly.

SRPMs from RHEL or CentOS? Which version would be closest to FC4? Again,
I expect some dependency issues here.

Of course, one can always download the upstream tarballs and generate
packages, but somehow I suspect this to be the most difficult method.

Any other suggestions?
--
Florin Andrei

http://florin.myip.org/
Kelson
2007-01-04 00:06:21 UTC
Permalink
Post by Florin Andrei
Of course, one can always download the upstream tarballs and generate
packages, but somehow I suspect this to be the most difficult method.
What I've done in cases like this is to take the latest SRPM for the
target distribution and the current upstream tarball. Then I install
the SRPM instead of rebuilding it, change the version number in the
.spec file, and try to build it.

This is most likely to work with minor version changes -- 1.2.3 to
1.2.5, for instance.

1. Grab package.lastversion.fc4.src.rpm
2. Grab package.newversion.tar.gz
3. rpm -i package.lastversion.fc4.src.rpm
4. cp package.newversion.tar.gz /path/to/rpm/SOURCES
5. Edit /path/to/rpm/SPECS/package.spec
6. rpmbuild -ba /path/to/rpm/SPECS/package.spec
7. Tweak stuff (like patches that won't apply), go back to step 5 until
you get an RPM or give up.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Nils Breunese (Lemonbit)
2007-01-04 00:10:06 UTC
Permalink
Post by Florin Andrei
Now that the Legacy project is shutting down, the biggest problem
becomes the security updates.
FL never provided anything else than security updates.
Post by Florin Andrei
I have an FC4 server that I plan to keep running until CentOS 5
comes out, but I also have to apply security patches to this
machine meanwhile.
What would be the best source of security updates for FC4 short-term?
SRPMs from FC5 or FC6, recompiled? But then there might be some
dependency issues that might get ugly.
SRPMs from RHEL or CentOS? Which version would be closest to FC4?
Again, I expect some dependency issues here.
Of course, one can always download the upstream tarballs and
generate packages, but somehow I suspect this to be the most
difficult method.
Any other suggestions?
You could upgrade to FC5 and later upgrade to CentOS 5?

Nils Breunese.
Florin Andrei
2007-01-04 00:36:47 UTC
Permalink
Post by Nils Breunese (Lemonbit)
You could upgrade to FC5 and later upgrade to CentOS 5?
The extra upgrade is what I want to avoid. This server is running 24/7.
--
Florin Andrei

http://florin.myip.org/
Karanbir Singh
2007-01-04 01:20:20 UTC
Permalink
Post by Nils Breunese (Lemonbit)
You could upgrade to FC5 and later upgrade to CentOS 5?
Will most likely not work as expected : FC5 updates are going to out
strip the E-V-R for similar packages in EL5. And there is the issue of
orphan packages that in turn might be required based on installed role.

- KB
--
Karanbir Singh : http://www.karan.org/ : ***@icq
Nils Breunese (Lemonbit)
2007-01-04 01:28:16 UTC
Permalink
Post by Karanbir Singh
Post by Nils Breunese (Lemonbit)
You could upgrade to FC5 and later upgrade to CentOS 5?
Will most likely not work as expected : FC5 updates are going to
out strip the E-V-R for similar packages in EL5. And there is the
issue of orphan packages that in turn might be required based on
installed role.
And that won't happen when he stays at FC4 and then upgrades to
CentOS when it comes out? I have to say I don't exactly understand
what you're saying there though. I guess that if Florin wants a nice
clean CentOS 5 system it might better to reinstall.

Nils Breunese.
Florin Andrei
2007-01-04 01:34:43 UTC
Permalink
I guess that if Florin wants a nice clean CentOS 5
system it might better to reinstall.
Exactly.
Meanwhile, I have to keep this silly FC4 box on life support, cross my
fingers, prepare for the worst and hope for the best.

It's the "prepare for the worst" part that I'm trying to disentangle now.
--
Florin Andrei

http://florin.myip.org/
Karanbir Singh
2007-01-04 01:40:56 UTC
Permalink
Post by Karanbir Singh
Post by Nils Breunese (Lemonbit)
You could upgrade to FC5 and later upgrade to CentOS 5?
Will most likely not work as expected : FC5 updates are going to out
strip the E-V-R for similar packages in EL5. And there is the issue of
orphan packages that in turn might be required based on installed role.
And that won't happen when he stays at FC4 and then upgrades to CentOS
when it comes out? I have to say I don't exactly understand what you're
saying there though. I guess that if Florin wants a nice clean CentOS 5
system it might better to reinstall.
sorry for not being very clear... here is the same thing in -vv mode :)

FC5 installed and then updated with all released packages will contain
packages that will by the time CentOS-5 is out there, already be newer
than whats included in CentOS-5. Which will create problems since those
packages will then not get yum updated to whats in the centos-5 repo's.

Add to this the problem of orphans - there might be packages in the
installed system that are not included in CentOS-5 at all! There will
need to be an audit and work out what these packages are - and if they
are even required on the machine.
--
Karanbir Singh : http://www.karan.org/ : ***@icq
Nils Breunese (Lemonbit)
2007-01-04 02:49:51 UTC
Permalink
Post by Karanbir Singh
FC5 installed and then updated with all released packages will
contain packages that will by the time CentOS-5 is out there,
already be newer than whats included in CentOS-5. Which will create
problems since those packages will then not get yum updated to
whats in the centos-5 repo's.
I thought CentOS 5 was going to be based on FC6 and that therefore it
would be (kind of) possible to upgrade from FC5 to CentOS 5, but I
guess I'm wrong then.

Nils Breunese.
Karanbir Singh
2007-01-04 03:04:48 UTC
Permalink
Post by Nils Breunese (Lemonbit)
I thought CentOS 5 was going to be based on FC6 and that therefore it
would be (kind of) possible to upgrade from FC5 to CentOS 5, but I guess
I'm wrong then.
At release time, FC5 would have older packages than FC6 at release time,
but FC5 has since seen updates etc. Eg.

fc5 release firefox : firefox-1.5.0.1-9
fc5 latest firefox : firefox-1.5.0.9-1.fc5

fc6 release firefox : firefox-1.5.0.7-7.fc6
fc6 latest firefox : firefox-1.5.0.9-1.fc6

centos-5beta firefox : firefox-1.5.0.8-1.el5.centos
--
Karanbir Singh : http://www.karan.org/ : ***@icq
Michal Jaegermann
2007-01-04 04:35:21 UTC
Permalink
Post by Karanbir Singh
At release time, FC5 would have older packages than FC6 at release time,
but FC5 has since seen updates etc. Eg.
fc5 release firefox : firefox-1.5.0.1-9
fc5 latest firefox : firefox-1.5.0.9-1.fc5
....
Post by Karanbir Singh
centos-5beta firefox : firefox-1.5.0.8-1.el5.centos
In this particular case this happens to be no problem. 1.5.0.9 is a
security fix and firefox-1.5.0.9-0.1.el4.centos4 is in CentOS 4
updates now so whatever will eventually show up will be not lower.

Besides I have seen an anoucement, even if I cannot find it
currently, that support for firefox-1.5 series will end in
not so distant future (April?) and backpatching those browsers
is really hard and does not really buy much beyond headaches.
In other words you can expect newer versions of Firefox soon.
OTOH FC5 still has mozilla with known security issues
( https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195318 )
so maybe I am too optimistic here.

Michal
Karanbir Singh
2007-01-04 11:00:30 UTC
Permalink
Post by Michal Jaegermann
Post by Karanbir Singh
fc5 release firefox : firefox-1.5.0.1-9
fc5 latest firefox : firefox-1.5.0.9-1.fc5
....
Post by Karanbir Singh
centos-5beta firefox : firefox-1.5.0.8-1.el5.centos
In this particular case this happens to be no problem. 1.5.0.9 is a
security fix and firefox-1.5.0.9-0.1.el4.centos4 is in CentOS 4
updates now so whatever will eventually show up will be not lower.
ok, bad example from me :)

but the point was, as the distro rolls along it will get updates etc,
while as the EL5 tree is frozen, its going to stay that way. ( I'd
presume that has already happened upstream )

- KB
--
Karanbir Singh : http://www.karan.org/ : ***@icq
Michal Jaegermann
2007-01-04 00:36:29 UTC
Permalink
Post by Florin Andrei
What would be the best source of security updates for FC4 short-term?
There is no universal answer.
Post by Florin Andrei
SRPMs from FC5 or FC6, recompiled?
Very often this works pretty well although not always. Most likely
the is good for the first try (on source level, not binaries).
Post by Florin Andrei
But then there might be some
dependency issues that might get ugly.
What dependencies? Either you edited spec and recompiled
results, which means among other things that you are not using
a version which is too high for other packages which may be using
it, or this is not doable. In both cases you do not have any
dependency problems although in the second case you are also
missing an update.
Post by Florin Andrei
SRPMs from RHEL or CentOS?
They are really the same.
Post by Florin Andrei
Which version would be closest to FC4?
Version of what? Quite often these packages are "too old" to
be used on FC4 directly.

You are forgetting another option. You are taking src.rpm package
from FC4 to be updated and you apply patches "stolen" from updated
corresponding packages from FC5/FC5 and/or RHEL. Very often this is
straightforward or nearly so.

If all of that would be so automatic as you seem to imagine then
Fedora Legacy would have no constant problems with manpower and
missing contributors.

Michal
Florin Andrei
2007-01-04 00:44:56 UTC
Permalink
Post by Michal Jaegermann
Post by Florin Andrei
But then there might be some
dependency issues that might get ugly.
What dependencies? Either you edited spec and recompiled
results, which means among other things that you are not using
a version which is too high for other packages which may be using
it, or this is not doable. In both cases you do not have any
dependency problems although in the second case you are also
missing an update.
Such as an FC6 application requiring a certain library version that
cannot be found on FC4, so then the library needs an upgrade, which
sometimes may require another thing to be upgraded, and so on. I've seen
this before.
Post by Michal Jaegermann
Post by Florin Andrei
SRPMs from RHEL or CentOS?
They are really the same.
Post by Florin Andrei
Which version would be closest to FC4?
Version of what?
RHEL or CentOS.
Since they are really the same, you know. ;-)
Post by Michal Jaegermann
If all of that would be so automatic as you seem to imagine
I was merely asking for common sense suggestions. I do not expect
anything to happen as if by magic.
--
Florin Andrei

http://florin.myip.org/
Michal Jaegermann
2007-01-04 01:28:57 UTC
Permalink
Post by Florin Andrei
Post by Michal Jaegermann
Version of what?
RHEL or CentOS.
Since they are really the same, you know. ;-)
What you are interested in differs only by identifier strings
in release parts. CentOS on purpose _precisely_ tracks RHEL only
removing and/or replacing things like artworks, identifiers, etc. in
order not to violate copyrights or create false impressions.
As you can guess there are delays, ranging from few hours to
few days, before CentOS equivalents of RHEL updates are showing
on mirrors.
Post by Florin Andrei
I was merely asking for common sense suggestions. I do not expect
anything to happen as if by magic.
So you got, I hope, what you asked for. OTOH it is definitely
easier to maintain some specific machines than a whole distro. You
do have much more leeway. Patching sources of packages you are
using is the safest and the most correct course of action.
Still it happens then the only sane thing to do is to upgrade
a version of something.

Michal
Axel Thimm
2007-01-04 02:17:04 UTC
Permalink
Post by Florin Andrei
Now that the Legacy project is shutting down, the biggest problem
becomes the security updates. I have an FC4 server that I plan to keep
running until CentOS 5 comes out, but I also have to apply security
patches to this machine meanwhile.
What would be the best source of security updates for FC4 short-term?
It depends of course on what you are running on this system, but at
the very least you will be concerned with the kernel. In theory you
can use any newer kernel, but usually you need to stick to the known
features and bugs of the kernel you are running.

So the best source for security updates is using sources from FC4 and
patching them with security fixes of issues being announced. But that
was exactly what FL was about and is too much work for a single
person/server.

So the true answer is: There are no security updates for FC4 and no
healthy way to provide some short of resurrecting FL.

My advice is to try to harden security in other ways (iptables,
fail2ban etc) and schedule either an upgrade to FC6 or a reinstall to
RHEL4/5 as soon as possible.
--
Axel.Thimm at ATrpms.net
Josep L. Guallar-Esteve
2007-01-04 14:51:47 UTC
Permalink
Post by Florin Andrei
Now that the Legacy project is shutting down, the biggest problem
becomes the security updates. I have an FC4 server that I plan to keep
running until CentOS 5 comes out, but I also have to apply security
patches to this machine meanwhile.
What would be the best source of security updates for FC4 short-term?
SRPMs from FC5 or FC6, recompiled? But then there might be some
dependency issues that might get ugly.
SRPMs from RHEL or CentOS? Which version would be closest to FC4? Again,
I expect some dependency issues here.
Of course, one can always download the upstream tarballs and generate
packages, but somehow I suspect this to be the most difficult method.
Any other suggestions?
I had to face a similar situation.

We had a critical RHL 7.3 server running 24x7. Thanks to Fedora Legacy
project , we've managed to keep it running until recently. With the notice of
FL dropping support to all RHL versions by the end of 2006, we had no choice
but migrate to newer platform.

Thus, be built a new server with CentOS 4.4 and moved all applications running
on RHL 7.3 to CentOS 4.4. We found several gotchas:

* newer versions changed location of configuration files/data files, etc

* some apps in RHL 7.3 were installed from tar.gz, and heavily customized ->
we had to deconstruct (reverse engineering?) those apps and migrate
to "standard" (read, "rpm-provided") paths, filenames and such

* some apps on RHL 7.3 were no longer on CentOS 4.4, so we had to choose
different app to do same thing --> research, test, research, test.

* we were lucky that there were no proprietary application running on RHL 7.3.

* we tried different configs and tested ways of doing things with virtual
machines on VMware Server (free download).

We[*] documented all differences, kept log of what I was doing and established
a plan to test the new server. That plan was a life-saver, when we switched
off old server, as plan had a "stop and rollback" procedures for every step,
as well as what tests to run .

[*] by that I mean "yours truly" *grin*

Also, now we keep a "mirror QA server" were we apply first updates and check
if something breaks.

Make sure you have plenty of time to do things. Or else, keep plenty of coffee
around.

And plan, test, plan, test, plan and test.

Regards,
Josep
- --
Josep L. Guallar-Esteve - IT Department - Eastern Radiologists, Inc.
Systems and PACS Administration http://www.easternrad.com

Continue reading on narkive:
Loading...