From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Description of problem: Package perl-suidperl is not present on the ISOs related to RHEL ES 3.0. This package was present in RedHat 7.3, 8 & 9. Version-Release number of selected component (if applicable): I wish How reproducible: Always Steps to Reproduce: 1. Install RedHat EL ES 3.0 or 1. Search for the RPMs on the ISO disks. Additional info:
It is also missing on RH AS 3. If you grab the SRPM you can build the RPM and install it.
We really need this on ES if we are to migrate from a mixture of BSD and RH 7.3...
This will be critical for our migration from RH-8 and RH-9 to RHEL-ES.
Is there any chance the package will be added in RHEL 3.0? I've compiled the source RPM wich gave me the perl-perlsuid package to solve my problem for the moment but i like to have up2date/support for the package
Add me to the list of folks that needs this. C'mon guys, it's been 5 months since this bug was opened, is there anyone awake at Red Hat? Some sort of response would be nice.
I'd like a perl-perlsuid RPM also.
I would also prefer that Red Hat add perl-suidperl to 3AS/3ES/3WS, to save me the effort of having to build it myself.
Since we have a support contract with Red Hat, I used it to draw Red Hat's attention to this bug. Red Hat did not include perl-suidperl in RHEL 3 due to concerns over security issues. There are currently no plans to add it back into the distribution, one of the main reasons being that people who need perl-suidperl can easily rebuild from the SRPM themselves.
In response to the comment from James Ralston, that is not a very helpful attitude from RedHat. Perhaps we would be better building everything we need from source, in which case why bother paying for RHEL... RedHat really need to look to their customer base and start providing what they want.
Ha! Very odd. I too opened a Support Request with Red Hat and got told "Gee Whiz, you should really put your request in the Bugzilla bug so our engineers know that you need this package!" So, here we go: --- REQUEST Please put perl-suidperl back. I have lots of scripts that depend on it and having to recompile perl just plain sucks. This is making RHEL3 migration really really hard. Please include in Update-3 or sooner. --- REQUEST Also, RH Support mentioned Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122543 having more info about it being added back; however, this bug is not availible for public review. My guess is it's the tracker for packages-to-be? Argh.
I don't know--I think I have to side with Red Hat on this one. They didn't remove perl-suidperl just to annoy us; they removed it because they had specific security concerns with it. I think defaulting to *not* putting questionably insecure packages in the distro by default is a Good Thing. Additionally, it's not like it's a hardship to build it yourself. Red Hat didn't stop building perl-suidperl; they just don't include the package. All you have to do to get is to download the SRPM and rebuild it. Presto, you'll have the perl-suidperl package.
James, you're right. It's pretty easy to build perl-suidperl from the SRPM. So how does omitting the binary help security? Anyone who wanted to maliciously install the binary just has one new minor hurdle (rpmbuild). All the omission accomplishes is frustrating normal users and costing them time, with no payoff in security. Is Red Hat ever going to comment on this issue? Donald Fischer?
This package was added in RHEL 3 U3. Closing as CURRENTRELEASE.