[Yum] Re: pkgpolicy

Rick Graves gravesricharde at yahoo.com
Tue Sep 7 03:22:02 UTC 2004


You wrote:

> Now, I think the PROPER way to solve this problem is
to maintain your own mirror, which you sync
appropriately.  ....

I am not sure you and I are addressing the same issue.
 We may be, but I do not know enough about maintaining
a mirror to know for sure.  Based on what I know and
what you wrote, I cannot connect the dots.  

The issue that I am addressing is about how to apply
security patches.  The trade off I know about is
whether to 1) apply them automatically -- immediately,
or 2) test them first before applying them. 
Obviously, 2) is the preferred option, but the reality
is most sites do not have the resources.  To test them
for real, you need a whole test system that exactly
mirrors the live system.  

This is covered in the book "Red Hat Linux Internet
Server" by Paul G. Sery & Jay Beale, published by
RedHat Press in 2003.  I have put the relevant pages


The text pages are tif's, which Konqueror knows how to
display but Mozilla (and Internet Explorer) do not.  I
also threw in the front and back covers (jpg).  

This is their bottom line, on page 405:

"The principle [sic] strength of automating any part
of the process is that your systems get updated more
uniformly and more often.   We see too many
compromised systems that would have been safe if
they'd just had the latest fixes to not mention this
benefit!  So, while you should still be cautious with
any automated update solution on production systems,
this one is definitely worth checking out."

So based on the little that I know, there are dots
missing between testing security patches and
maintaining your own mirrors.  

Anyway, now you know where I am coming from, and my
prior email may be meaningful to you in a different
way. My point is that having an option to wait for
some days would allow more administrators to update

Also, you wrote:

> what about installs?  do they also wait n days?  

The key word in my suggestion is "option", as in
optional.  If YUM had the option that I asked about,
and if a system administrator were inclined to turn it
on, he or she would do so after the system is
installed and brought fully up to date with YUM in the
normal way. 

Thanks for the feedback,

Rick Graves

More information about the Yum mailing list