Jump to content
arctic

Your vision of Mandriva 2007/2008/2009/...

Recommended Posts

That is interesting, indeed. So... should I switch to Epiphany? :)

Doesn't epiphany use the same (insecure) engine?

 

Actually, I don't know how they came to these results. And where is IE in that list? It is a completely insecure browser and isn't even mentioned, although it has more holes than a swiss cheese! And, honestly, I do trust my own penetration tests more than some statistics that weren't falsified by myself. I checked my system thoroughly, and being behind three nicely configured firewalls (NAT+SPI+Shorewall) on a DHCP LAN, a hardened Mandriva-box, the only "vulnerability" that could be found by penetration tasks on my box were that I have Java scripts enabled in Firefox. :rolleyes:

 

The list only contains programs commonly installed by users. I don't think a firewall can prevent remote code from being executed either because of buggy code....

Share this post


Link to post
Share on other sites
I agree with most of what arctic and others said, but can not refrain from adding my two cents:

 

It would be good if the next mdk did not miss the latest releases of KDE, Gnome, OpenOffice, Firefox and Thunderbird.

These are probably the most important "work horse" applications, and they really should be of late release.

It would also be good if the included X-version actually worked.

Mandriva will be released with the latest GNOME, KDE etc. GNOME 2.15 is in cooker so they will ship with 2.16. But they will get obsolete during the one year lifecycle just the same.
Practical examples:

 

A.) I often receive .odt files from clients, but mdk can not open them with ancient OO-versions which makes mdk 2005 and mdk 2006 useless for my work.

 

B.) I need to record audio-files via the headset microphone. In Suse 10.0 I can add the very much needed +20dB to the microphone input, but the older mixer and sound recorder (Gnome 2.8) in mdk does not have this feature yet. Because of this, mdk is useless for my work.

Is that a typo? Even 2006 has 2.10.
C.) In a very security-sensitve situation, I really should have latest Thunderbird and Firefox. But with mdk 2006 and 2005 having both of them in ancient 1.0xxx versions, I can not use Mozilla's update function which only works with versions 1.5xx and later. So I am forced to stick with less secure Internet software, something which I should definitly not be doing.
Security fixes are backported to the older versions so you can use them safely.
D.) One of my computers has a NVIDIA MX440 video card, and a Samsung SyncMaster 700s + CKG7507L monitor. With that combination, there is no way mdk 2006 can be installed using regular means. After installation, the monitor only displays horizontal psychedelic colour stripes. This can initially be corrected by using mcc via a console. But after adding NVIDIA drivers, nothing including the mcc via a console, or editing xorg.conf can make it work again! Then only Knoppix or DamnSmallLinux can retrieve my data before making a reinstall of an older mdk (2005) version.
X has been updated a few times since the release of 2006. Or is that with the updated X.org? Edited by dexter11

Share this post


Link to post
Share on other sites

Thanks for the reply, arctic!

 

In this area there is only modem-based internet access available, so I updated to OpenOffice 2.02 only very recently after finally obtaining a CD.

 

I will just wait for the next mdk release and stay with 2005 till then.

 

Cheers,

Helmut

Edited by Helmut

Share this post


Link to post
Share on other sites

Hi dexter11,

I'm back to 2005 on both machines because of serious installation problems with 2006 (see my point D). Both 2005- and 2006-versions in my posession are DVD's of the original releases. I always applied the security updates as they were published in magazines. After introduction of 2006, that magazine only published updates for 2006 and stopped publishing 2005 updates. Unfortunately my Internet connection is much too slow for for downloading. As I said, I'll just stick with what I have until a new version comes out.

 

No, I don't want to become a member of that translation team and definitely didn't mean the person you suggested. I must have mixed up someone with someone else. The person I thought about is not an admin on any board, wish I could remember what her name was. Sorry about that and all the confusion.

 

 

Cheers,

Helmut.

Edited by Helmut

Share this post


Link to post
Share on other sites
BTW Bit9 (no idea who they are but anyway) called FF 1.0.7 worse than malware:

Note that Mandriva backports security fixes. So even if you are running FF 1.0.7 in Mandriva, it's most likely got the most recent security fixes so that description Bit9 has doesn't really apply - if you've updated your system.

Share this post


Link to post
Share on other sites

Mandriva's firefox is at 1.0.8 at the moment, that's around april, 1.5.0.4 came out on June 1st, so at least mandriva's firefox is definitely behind

 

I don't need the usability improvements (they are not so big after all), but I would still be happy to see a new version from mandrivas firefox with the security patches from 1.5.0.4 if its possible, otherwise they should consider a full upgrade to 1.5.0.4 if backporting is impossible, same goes for thunderbird

 

the openoffice issue imho is not that big problem, since OOo.org 2.0 now uses rpms, even the menu entries get generated (I have a vanilla OOo 2.0.2 running on my Mandy 2006, works without probs), btw I like the Icons that come with the official OOo-package ;)

 

I can live with KDE 3.4 and gnome 2.10 (at least mandy-kde was bug-fixed lately), but I can also understand people who want a newer version

 

mcc should definitely overhauled, it is basically a great tool, but the idea with tabs mentioned earlier sounds great, the text-based interface of mcc needs definitely a new design, I would like that mcc could be used from CLI with ALL functions (would be nice on a server without X), a clear split into a backend, a CLI- and X-frontend would be appreciated, so you don't need any X-related stuff to be installed (I know that it is splitted into different packages, but the splitting seems to be somewhat inconsistent).

 

etc-update should be installed by default, keeps your /etc clean when you update packages and does warn you if some of your configuration files would get altered

 

newer kernels are definitely welcomed

 

I think mandriva should focus on its strengths and make them near-to-perfect: MCC, msec and urpmi

Edited by lavaeolus

Share this post


Link to post
Share on other sites
I don't need the usability improvements (they are not so big after all), but I would still be happy to see a new version from mandrivas firefox with the security patches from 1.5.0.4 if its possible, otherwise they should consider a full upgrade to 1.5.0.4 if backporting is impossible, same goes for thunderbird

Any security patches that apply to whatever version is in Mandriva are backported and put in the security updates. Note that security holes that exist in 1.5.x don't necessarily exist in 1.0.x - that's why there may be security bulletins out for 1.5.x that there is no patch for 1.0.x. Example: Here is a vuln that applies to the 1.5.x series of Firefox (1.5.0.4 specifically) but does not apply to 1.0.x series, but here is one that applies to 1.0.x prior to 1.0.8 - and 1.x prior to 1.5. I actually couldn't find any vulns in CVE that apply to Firefox 1.0.8.

 

You won't see Firefox 1.5.x in Mandriva until the next release as Mandriva uses a point release cycle.

Share this post


Link to post
Share on other sites

Firefox 1.0 is no longer supported and the last update, Firefox 1.0.8, is affected by several vulnerabilities fixed in newer versions of the program. All users are urged to upgrade to the newest version of Firefox.

 

the above is c & p from

 

http://www.mozilla.org/projects/security/k...#firefox1.5.0.4

 

so I have reason to believe that 1.0.8 has some holes by now

Share this post


Link to post
Share on other sites

Like I said, any vulns that apply to 1.0.8 are backported by Mandriva. That's the understanding I was given, from a Mandriva representative. Just because Mozilla doesn't release an official patch doesn't mean Mandriva can't fix the vuln if it exists.

Share this post


Link to post
Share on other sites

It's easy to say that mandriva backports security fixes. But that doesnt mean you have fixes for things that were not known of at the time of release.

 

Unless you've updated your firefox since your Mandriva version was released, you're still running a vulnerable version, 2006 was released in March according to distrowatch.

Share this post


Link to post
Share on other sites

ok, maybe I'm just a bit TOO paranoid, but iphitus point is definitely valid

 

btw: paranoia is not an illnes it's a lifestyle :D

Edited by lavaeolus

Share this post


Link to post
Share on other sites
It's easy to say that mandriva backports security fixes. But that doesnt mean you have fixes for things that were not known of at the time of release.

 

Unless you've updated your firefox since your Mandriva version was released, you're still running a vulnerable version, 2006 was released in March according to distrowatch.

Mandriva puts security patches into their updates repo which is, by default, one of the repositories that are set up when you install Mandriva. If you aren't using Mandriva's update tool to get security fixes than that is your own fault :P

 

If you absolutely have to have 1.5.x, you can install it, there are even a few threads around here (somewhere) that give directions on how to do this.

Share this post


Link to post
Share on other sites

I think that Mandriva patches Firefox efficiently, even if the current version ain't officially supported anymore. Remember that Mandriva also sells enterprise services and they cannot afford to have serious flaws going unfixed for a long time in such a mission-critical application for end-users like Firefox, otherwise they can shut down their offices quite soon.

 

Mandriva is in this respect in the same boat as Red Hat and Novell. Do you really think that all three companies sell and promote software that is "unsafe" as a "safe solution", because the end-user might not know anyways? I doubt that. ;)

Share this post


Link to post
Share on other sites

<Ironic>Maybe, but there is an other company around, that insists that its software is secure and it is definitely not :P </Ironic>

 

my experience showed me not to be to trustfull anyway

 

as I already said: paranoia is a lifestyle

 

maybe mandriva should be a bit more informative about all this (upgrading, patches, patch-policy), this is one of their biggest problems imho, they don't communicate enough with their users

 

but after all a quick look at suse's security site showed, they are at 1.0.8 too

Edited by lavaeolus

Share this post


Link to post
Share on other sites

Thats an interesting point, actic! Never realized that about backporting major issues.

Lavaeolus also seems to have a good point too, about mandriva communicating some of their vital points to users. This is something we all definitely want to know, and it doesn't really cost much to get that communicated either. Not communicating seems to be like damaging for mandriva.

 

Arctic or Spiny, what would you recommend to a user with:

Only 56k modem (phone line always gets terminated after 30min-1h or so), mdk2005 (2006 won't install on that box) FF 1.0.2, TBird 1.02, plus all mdk2005 updates that ever came on CD up till the release of 2006 , but no chance of downloading bigger rpm's, etc.?

 

On the other hand with Wind Blows I had unprovocated crashes on the average every six months or so, and usually data was lost, the entire PC needed a reinstall plus all of those countless Microshaft patches, Firewall, Antivirus, Wind-Blows tools, anti spyware stuff, etc, etc. Then the box needed frequent time-consuming updates for the antivirus, the firewall, the anti-trojan stuff, and so on and so on. It went on endlessly and I had a not very stable system.

Ever since Mandriva ( 9.4?) has been on the box, I have never lost any data except when attempting to install 2006.

 

Cheers,

Helmut

Edited by Helmut

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...