[rdo-dev] openstack-newton rpm packages unavailable now

Matthias Runge mrunge at redhat.com
Thu Jun 7 08:38:20 UTC 2018


On Thu, Jun 07, 2018 at 05:13:06AM +0000, Tobias Urdin wrote:
> Just sliding in with my 2 cents which are off-topic to the discussion but...
> 
> I've always found it fascinating why one would completely remove
> packages from official mirrors when the version is not supported anymore.
> There will probably always be somebody that might be looking for them,
> I've always had that feeling with RPMs compared to Debs.

Can you elaborate here on how RPMs are different to .debs?

What do you expect, when you're installing these packages?
Do you expect them to work? Do you expect, they won't create
a security issue? Do you want to be able to use them in
production? Is there a value in distributing something, which
doesn't work (anymore)?

What happens, if there is an issue, or a distributed rpm contains
a CVE? In that case, we'd actively distribute vulnerable software.
I always wondered, why someone would ask for software with
a vulnerability (or more).

This is to get expectations right[1]. It might look good at the
beginning, but can turn bad quite quickly.

Matthias

[1] https://twitter.com/AwardsDarwin/status/1003934362403049472
-- 
Matthias Runge <mrunge at redhat.com>

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham,
                    Michael O'Neill, Eric Shander


More information about the dev mailing list