[csw-maintainers] cswclassutils splitting

Philip Brown phil at bolthole.com
Thu Oct 14 18:27:29 CEST 2010


On 10/14/10, James Lee <james at opencsw.org> wrote:
> On 12/10/10, 01:59:37, Ben Walton <bwalton at opencsw.org> wrote regarding
> [csw-maintainers] cswclassutils splitting:
>
>> I'm just about done with the changes to the GAR recipe will see each
>> CAS pair of scripts be shipped in a separate package
>
> Please don't.  The CAS can only be installed in the global zone
> splitting means every one has to be installed.
>

there *was* a brief discussion on this a few months ago James (dont
remember HOW many months ago at this point, but...)

the general consensus of people replying, agreed that, given that we
are accumilating more and more separate CAS scripts, it would actually
be less aggravating to security-concious people in the long run, to
split them up.
This is because of the dichotomy between core, ideally stable scripts,
vs up and coming ones.

Lets say a site is very security concious, and only uses a handful of
our package, and they only need one or two of the long time "core" CAS
scripts.
They could install the global-zone cas package once... then go through
a bunch of zone level package upgrades without hassle, over the time
period of a year.

We have multiple updates, to multiple CAS scripts, in the course of
the year. each one generates a "new" cswclassutils package. Which
means that every time that site updates their zone-level packages,
they would "need "to update their back-rev cswclassutils package. For
no reason, from their standpoint. Yet they would still need to do so..
and then security-analyze ALL the scripts in that package.

If the scripts are broken up, then not only should it ideally mean
less frequent updates to relevant CAS packages.. but when updates do
happen, they should be less painful from an audit point of view.


More information about the maintainers mailing list