Suggestion: Define an RPM extension in order to allow third party software to be integrated into automated patch application

Version 1.0, 12/10/2004

Hauke Laging, Grazer Platz 22, 12157 Berlin, Tel.: 030/32603660, mobil: 0172/7630883, E-Mail: hauke@laging.de

The Problem

One of the main elements of system security is the regular and frequent application of security patches. Practice shows that this works (for not professionally managed systems) if it is easy and comfortable only. Thus many (if not all) Linux distributors have developed tools for this task.

The inevitable problem is that these automated patch mechanisms cover the software which is delivered and maintained by the distributor only. For most people that is the vast majority of their installed software, for many all installed software belongs to this category.

Nonetheless a certain problem remains. Today it is the user's responsibility to keep this software up to date. Probably no non-expert does that.

Aim

The aim should be to include third party software into the distribution's patch tool's scope with minimum technical effort. This should particularly work for software (packaged) not made for that distribution.

Implementation

I suggest that the important distributors jointly define a new "standard" entry in the RPM spec files. This entry would contain a single or a list of URLs. These URLs would either be locations where patches (and/or updates) can be found or locations where these locations can be found.

This would entail very little effort for both the distributors and the software vendors / packagers but deliver a considerable advantage in security for the not so technical users (and in support costs for the software supplier).