All that does is move the time spent learning about the system and shutting down servers to waiting for things to compile. And chances are it'll take a lot longer to compile a useful system than it will to shutdown a few services.
And actually, I think RH has come with a deny all netfilter profile by default since like RH8 or 9, so listening services aren't a threat unless you disable the firewall.
Right, because pointing a finger at someone you can't really hold accountable or make a lawsuit against is worthwhile. Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.
I'm on our network security team and when doing audits we do have a few commercial tools, but we also use OSS tools like Nessus because IME they're better overall.
I can't stand a full Gnome or KDE desktop either so I still use E16. As long as you pick a good theme (and man are there a lot of bad ones out there) E16 is still one of the best WMs out there.
E has always been more of proof-of-concept project than an environment for everyone. I believe it was started in the first place for Raster to learn how to use things like imlib for another project and it just grew from there.
I use E16 on my machines because it's light, fast and looks good. But I wouldn't recommend it for most people.
About testing/unstable, the same packages
not working in testing were working in unstable.
This does not make a lot of sense to me.
The problem could have been in a support library or the package in unstable could have been the same version but a different build number. Without knowing what the specific problem was, it's hard to say.
I am sorry, you do not seem to know gentoo well enough to do such statement, otherwise you would
have said which USE flag could create problems.
Whatever, the idea is sound even if I had the location incorrect.
And before moving the bug upstream, usually it
is in bugs.gentoo.org that they are discussed.
And? Debian has mailing lists for those discussions too. The point is that the fixed packages are put into a different tree for testing before being pushed onto the general population.
Finally, each gentoo installation is unique in its own right, and each package is compiled in a lot more of different environments than the ones of the developers packaging the debs for debian.
Which makes it impossible to do real QA since everyone's machine is different. Essentially every Gentoo user becomes a QA person because there's no way for a Gentoo developer to easily recreate their environment.
It seems to me that we are moving in the right direction.
It seems to me that Debian is already there, we've got binary packages for the majority of people and we've got the apt-build package for those that want to rebuild their packages for whatever reason.
Well because the games I have installed don't come as RPMs anyway and if I had wanted I could have used alien on the VMWare RPM.
But even if I had counted them that only makes 4 more since the only commercial apps I have installed are VMWare, Citrix ICA Client, Q3 and ET.
I can't say "Just about everything I use is packaged, as long as you don't count most of the stuff that isn't packaged" with a straight face.
And you shouldn't, because that's not even close to what I said. I have over a thousand packages installed, even taking into account the products that are split into multiple packages, libraries, etc that's still at least 100x more DFSG free products than commercial ones.
$apt-cache search enlightenment e16keyedit - a keybinding editor for the enlightenment window manager e16menuedit - A graphical menu editor for enlightenment enlightenment - The Enlightenment Window Manager enlightenment-data - Enlightenment Window Manager Run Time Data Files enlightenment-theme-bluesteel - Hunchback's BlueSteel theme for E enlightenment-theme-brushedmetal - Audio files for the BrushedMEtal-Tigert E Theme enlightenment-theme-ganymede - cK's Ganymede theme for E enlightenment-theme-shinymetal - Raster's ShinyMetal Theme for E epplets - The Epplets for the Enlightenment Window Manager eterm - Enlightened Terminal Emulator
I have seen on the other hand people installing debian testing, having issues, and resolving them going in unstable(!).
So? Everything goes into unstable first then after it's there for 2 weeks without any major bug reports it automatically gets pushed into sarge, it's called QA. If a bug requires a new package it has to go though QA in sid first. Once sarge becomes stable it'll get fixes injected directly into it, but no new versions of packages will be allowed in order to keep things consistent and stable. But frankly I've been running sid for a few years now and can count the number of package bugs that took more than a day to fix on one hand.
And consider that compiling from source helps to find bugs much faster than using binary distros.
Doubtfull, most people compiling those ebuilds have no idea what's going on so I'm sure if they all get reported as bugs the package maintainers just have a lot of false positives to weed through, like screwy USE flags and crap
And do you think that noone compiles the packages on a binary distribution? In Debian every package gets automatically built on every architecture it's valid for, so compiler and architecture-specific package bugs are found just as fast or faster.
I thought buildworld only built the basic userland, not any ports. Why can't you just get into a port's directory and run 'make upgrade' or something, if you run 'make install' it yells and tells you to do a 'make deinstall' which causes you to remove all the things that depend on it as well.
Except that you need an external tool (portupgrade) to easily upgrade ports and it's way to easy to accidentally install 2 versions of the same package. It's not a bad system, but it's far from great.
I did and I never want back to crappy RPM based package management
Probably because you havn't finished installing Gentoo yet, once the compiling stops and you've used the system for a little bit you'll realize how much of a waste of time compiling everything is and hopefully you'll move onto Debian, where there's all the automation but none of the wasted time.
It hardly eliminates it, all it does it make it take a lot longer as you end up hunting down the dependencies and compiling them all instead of installing precompiled packages. And on top of that if you don't have the optional dependencies you then lose out on functionality and you might not notice right away, then you have to go back and figure out what you missed and start the process over again.
Do you know how many packages I have installed on my 4 Debian machines that aren't in the Debian repositories? 2, if you don't count commercial apps that will never be packaged like VMWare or Q3.
I'm not saying it's perfect, but Debian sid has over 16,000 packages already so the chances are good that even if you can't find the exact package you want, you can find a workable alternative.
It's a bug in a kernel driver, so if it becomes exploitable it could allow more than root. But from the looks of the report, you would have to mount a share on the attacking machine for there to even be a chance of exploitation.
I wouldn't say it's a good turnaround, but considering that SMB is one of the hairiest protocols around and SMBFS has been deprectated in the hopes of the CIFS driver taking it's place, it's not hard to imagine that it would take a while to find someone knowledgable enough and willing to track down each of those problems.
Technically that was a Windows problem, Mozilla just handed the URL off to Windows because it didn't have a handler registered for it.
And at least with IE, my system pops up and offers to install the update for me automatically every time one is issued.
Firefox has an automated update checker builtin, I havn't used it so I can't vouch for it though.
But let's keep a little perspective, OK? When it comes to actually getting bug fixes onto people's PCs, making a point release every few days is still way off the pace compared to an automatic patching process like Windows Update.
That's because it's still a beta, once everything is set in stone and 1.0 is released the automated updater will be simple since profiles won't need blown away anymore and the extensions will have a stable API to follow.
They're huge and any time a bug is fixed in one of those libraries every static binary needs to be upgraded instead of just the shared libarary.
Look at MacOS for example. MacOS has always been lauded as easy to use, and has always had extrodinarily easy "drag into application folder, click to run" software installs.
IMO the tradeoffs aren't worth it and it would seem that most other people agree.
If you get rid of the shared libraries and staticly link programs, you've solved about 80% of the software installation gripes about Linux.
All that does is fix the symptom not the problem and in doing that you create more problems.
Then you can't just use a tarball, you need an intelligent installer.
especially since with todays system you have to redownload all stuff that depends on a library if it breaks ABI.
Rarely do I ever have to redownload a lot of things because of an ABI change, probably the last big update I had on my machine was Gnome 2.
And anyway, harddisk are huge, bandwidth gets more and more every day, people however are still the same as last year or the year before, so better waste resources that grow over time and are cheap, instead of wasting valuable human time.
If everyone followed that logic we'd end up where Microsoft is now, requiring like 5G for a basic OS install. I have machines with small drives, I'd rather not have the space wasted when there are solutions out there that do the job just fine and don't waste disk space.
It would just end up as yet-another-system, such stuff would need to be happening at LSB level and not as yet another 'package manager'.
Right. It's not like Gentoo hasn't become popular or anything. If you don't want to take the time to fix it, stop bitching about it.
And if you install with tar and remove with rm you either have to supply all the dependencies in the tar ball which will cause a lot of duplication and waste of disk space or you still need some method to check for the existance of dependencies.
If you think it's so simple why don't you implement it? If it works well people will adopt it.
It's possible but not terribly likely unless every starts shipping static binaries or includes all of the dependencies in their packages which will make the situation worse than it already is.
You take these for granted, right? Now imagine how much fun it would be if sitting down in front of a new Linux machine might mean that such basic tools either aren't available in total or have weird, distribution-specific names, like ffls, catx, more_21, etc. It would be a compatibility and sanity nightmare.
Which is how commercial unix is right now and for better or worse it works and people deal with it.
However, it's not like that. Basically any distribution big or small includes the same subset of basic commandline tools, and they're all named the same. This helps compatibility and interoperability, doesn't it?
Only to an extent, there are many distribution specific tools, for instance on a Debian box type update- and see what shows up and then do the same thing on a RedHat box. Also configuration files are different, like the RedHat/etc/sysconfig thing which has no corresponding directory structure on Debian.
... But if the majority of distribution authors agreed on standards regarding libraries, filesystem hierarchies, and package formats, then you'd basically have the "distribution-neutral" packages I'm looking for, wouldn't you? And to think, package management would STILL be left at the distribution level...
And to make you happy everything would have to be exactly the same so you'd have the same distribution with different names, what is the point of that?
Ooh, elitism. You're winning converts over to Linux as we speak.
A) I'm not trying to convert anyone
B) If you start using Linux you accept the fact that you might have to actually do a little work to get something working. The same is true of Windows the only difference is in what aspects need the extra work.
People who value their time over "it's free" like living in the 21st century, where you double click an installer and be done with the program installation. People who value "it's free" over their time don't care about editing arcane configuration files just to install a text editor.
I use Linux because I value my time and sanity, installing things via apt and editing config files is simple and quick.
But see, if there were such a thing as distribution-neutral packages, you wouldn't have to take a step as radical as dumping the distribution you're comfortable with just to install a text editor via packaging.
If you're comfortable with the distribution what's the problem? You've already figured out the quirks related to installing and configuring things otherwise you wouldn't be comfortable with it, right?
Slashdot Mirror
All that does is move the time spent learning about the system and shutting down servers to waiting for things to compile. And chances are it'll take a lot longer to compile a useful system than it will to shutdown a few services.
And actually, I think RH has come with a deny all netfilter profile by default since like RH8 or 9, so listening services aren't a threat unless you disable the firewall.
Right, because pointing a finger at someone you can't really hold accountable or make a lawsuit against is worthwhile. Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.
I'm on our network security team and when doing audits we do have a few commercial tools, but we also use OSS tools like Nessus because IME they're better overall.
I can't stand a full Gnome or KDE desktop either so I still use E16. As long as you pick a good theme (and man are there a lot of bad ones out there) E16 is still one of the best WMs out there.
E has always been more of proof-of-concept project than an environment for everyone. I believe it was started in the first place for Raster to learn how to use things like imlib for another project and it just grew from there. I use E16 on my machines because it's light, fast and looks good. But I wouldn't recommend it for most people.
And?
Why do not reserve our energy to convert more desktops from proprietary OS to a better alternatives?
Because I'm not sure that I believe that Gentoo is a better alternative.
This does not make a lot of sense to me.
The problem could have been in a support library or the package in unstable could have been the same version but a different build number. Without knowing what the specific problem was, it's hard to say.
I am sorry, you do not seem to know gentoo well enough to do such statement, otherwise you would have said which USE flag could create problems.
Whatever, the idea is sound even if I had the location incorrect.
And before moving the bug upstream, usually it is in bugs.gentoo.org that they are discussed.
And? Debian has mailing lists for those discussions too. The point is that the fixed packages are put into a different tree for testing before being pushed onto the general population.
Finally, each gentoo installation is unique in its own right, and each package is compiled in a lot more of different environments than the ones of the developers packaging the debs for debian.
Which makes it impossible to do real QA since everyone's machine is different. Essentially every Gentoo user becomes a QA person because there's no way for a Gentoo developer to easily recreate their environment.
It seems to me that we are moving in the right direction.
It seems to me that Debian is already there, we've got binary packages for the majority of people and we've got the apt-build package for those that want to rebuild their packages for whatever reason.
Well because the games I have installed don't come as RPMs anyway and if I had wanted I could have used alien on the VMWare RPM.
But even if I had counted them that only makes 4 more since the only commercial apps I have installed are VMWare, Citrix ICA Client, Q3 and ET.
I can't say "Just about everything I use is packaged, as long as you don't count most of the stuff that isn't packaged" with a straight face.
And you shouldn't, because that's not even close to what I said. I have over a thousand packages installed, even taking into account the products that are split into multiple packages, libraries, etc that's still at least 100x more DFSG free products than commercial ones.
So? Everything goes into unstable first then after it's there for 2 weeks without any major bug reports it automatically gets pushed into sarge, it's called QA. If a bug requires a new package it has to go though QA in sid first. Once sarge becomes stable it'll get fixes injected directly into it, but no new versions of packages will be allowed in order to keep things consistent and stable. But frankly I've been running sid for a few years now and can count the number of package bugs that took more than a day to fix on one hand.
And consider that compiling from source helps to find bugs much faster than using binary distros.
Doubtfull, most people compiling those ebuilds have no idea what's going on so I'm sure if they all get reported as bugs the package maintainers just have a lot of false positives to weed through, like screwy USE flags and crap
And do you think that noone compiles the packages on a binary distribution? In Debian every package gets automatically built on every architecture it's valid for, so compiler and architecture-specific package bugs are found just as fast or faster.
I thought buildworld only built the basic userland, not any ports. Why can't you just get into a port's directory and run 'make upgrade' or something, if you run 'make install' it yells and tells you to do a 'make deinstall' which causes you to remove all the things that depend on it as well.
Except that you need an external tool (portupgrade) to easily upgrade ports and it's way to easy to accidentally install 2 versions of the same package. It's not a bad system, but it's far from great.
Probably because you havn't finished installing Gentoo yet, once the compiling stops and you've used the system for a little bit you'll realize how much of a waste of time compiling everything is and hopefully you'll move onto Debian, where there's all the automation but none of the wasted time.
It hardly eliminates it, all it does it make it take a lot longer as you end up hunting down the dependencies and compiling them all instead of installing precompiled packages. And on top of that if you don't have the optional dependencies you then lose out on functionality and you might not notice right away, then you have to go back and figure out what you missed and start the process over again.
Do you know how many packages I have installed on my 4 Debian machines that aren't in the Debian repositories? 2, if you don't count commercial apps that will never be packaged like VMWare or Q3.
I'm not saying it's perfect, but Debian sid has over 16,000 packages already so the chances are good that even if you can't find the exact package you want, you can find a workable alternative.
What weaknesses? Sure package management on Linux isn't perfect, but I fail to see how pkgsrc would fix things.
It's a bug in a kernel driver, so if it becomes exploitable it could allow more than root. But from the looks of the report, you would have to mount a share on the attacking machine for there to even be a chance of exploitation.
I wouldn't say it's a good turnaround, but considering that SMB is one of the hairiest protocols around and SMBFS has been deprectated in the hopes of the CIFS driver taking it's place, it's not hard to imagine that it would take a while to find someone knowledgable enough and willing to track down each of those problems.
Chances are good that you're paying for that pipe anyway, unless you decided to get the Internet for the sole reason of pirating movies and music.
Technically that was a Windows problem, Mozilla just handed the URL off to Windows because it didn't have a handler registered for it.
And at least with IE, my system pops up and offers to install the update for me automatically every time one is issued.
Firefox has an automated update checker builtin, I havn't used it so I can't vouch for it though.
But let's keep a little perspective, OK? When it comes to actually getting bug fixes onto people's PCs, making a point release every few days is still way off the pace compared to an automatic patching process like Windows Update.
That's because it's still a beta, once everything is set in stone and 1.0 is released the automated updater will be simple since profiles won't need blown away anymore and the extensions will have a stable API to follow.
They're huge and any time a bug is fixed in one of those libraries every static binary needs to be upgraded instead of just the shared libarary.
Look at MacOS for example. MacOS has always been lauded as easy to use, and has always had extrodinarily easy "drag into application folder, click to run" software installs.
IMO the tradeoffs aren't worth it and it would seem that most other people agree.
If you get rid of the shared libraries and staticly link programs, you've solved about 80% of the software installation gripes about Linux.
All that does is fix the symptom not the problem and in doing that you create more problems.
Then you can't just use a tarball, you need an intelligent installer.
especially since with todays system you have to redownload all stuff that depends on a library if it breaks ABI.
Rarely do I ever have to redownload a lot of things because of an ABI change, probably the last big update I had on my machine was Gnome 2.
And anyway, harddisk are huge, bandwidth gets more and more every day, people however are still the same as last year or the year before, so better waste resources that grow over time and are cheap, instead of wasting valuable human time.
If everyone followed that logic we'd end up where Microsoft is now, requiring like 5G for a basic OS install. I have machines with small drives, I'd rather not have the space wasted when there are solutions out there that do the job just fine and don't waste disk space.
It would just end up as yet-another-system, such stuff would need to be happening at LSB level and not as yet another 'package manager'.
Right. It's not like Gentoo hasn't become popular or anything. If you don't want to take the time to fix it, stop bitching about it.
And if you install with tar and remove with rm you either have to supply all the dependencies in the tar ball which will cause a lot of duplication and waste of disk space or you still need some method to check for the existance of dependencies.
If you think it's so simple why don't you implement it? If it works well people will adopt it.
It's possible but not terribly likely unless every starts shipping static binaries or includes all of the dependencies in their packages which will make the situation worse than it already is.
Which is how commercial unix is right now and for better or worse it works and people deal with it.
However, it's not like that. Basically any distribution big or small includes the same subset of basic commandline tools, and they're all named the same. This helps compatibility and interoperability, doesn't it?
Only to an extent, there are many distribution specific tools, for instance on a Debian box type update- and see what shows up and then do the same thing on a RedHat box. Also configuration files are different, like the RedHat /etc/sysconfig thing which has no corresponding directory structure on Debian.
And to make you happy everything would have to be exactly the same so you'd have the same distribution with different names, what is the point of that?
Ooh, elitism. You're winning converts over to Linux as we speak.
A) I'm not trying to convert anyone
B) If you start using Linux you accept the fact that you might have to actually do a little work to get something working. The same is true of Windows the only difference is in what aspects need the extra work.
People who value their time over "it's free" like living in the 21st century, where you double click an installer and be done with the program installation. People who value "it's free" over their time don't care about editing arcane configuration files just to install a text editor.
I use Linux because I value my time and sanity, installing things via apt and editing config files is simple and quick.
But see, if there were such a thing as distribution-neutral packages, you wouldn't have to take a step as radical as dumping the distribution you're comfortable with just to install a text editor via packaging.
If you're comfortable with the distribution what's the problem? You've already figured out the quirks related to installing and configuring things otherwise you wouldn't be comfortable with it, right?