[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: support for RedHat distributions

On Tue, Nov 18, 2003 at 09:58:20AM -0800, Leslie E. Ballentine wrote:
> On Mon, Nov 17, 2003 at 09:20:43PM -0800, Martin Siegert wrote:
> > Dear Linux-security subscribers:
> > 
> > ... there will be none (see subject).
> > ...
> I have just read RedHat's web page, and am not reasured by what I have 
> seen.  They describe the Fedora Project as being suitable for 
> "non-critical computing environments".  I have yet to meet a user who 
> would decribe his work as "non-critical"!  They further describe it as 
> "bleeding edge technology" - something that I most certainly do NOT want.  
> So Fedora does not seem to be a viable option, at least not for now.
> What about RedHat Enterprize Linux?  It is not free, but how much would it 
> cost?

	In the range of $300 US per year per system. Obviously not an option
for the cluster. It may be an option for individual users, but if it isn't
what is running on the cluster it isn't going to be Martin's primary focus
which may be a local support issue.
	I for instance am likely to end up with this because something we are
using is primarily supported on RedHat (and we have a limited number of them)
but that won't translate in to wider support.

> Another option is simply to freeze our systems, in the hope that the 
> security bugs have by now been eliminated.  This is not an unreasonable 
> assumption in the medium term, although I suspect that this solution will 
> not hold up in the long term.

	Unfortunatly it is an unreasonable assumption at any time. The SSH/SSL 
code (as one example of many) and Kerberos before it, are still getting 
security holes found (in Kereberos's case after 10 years with full source 
available and any number of top security researches trying to see a way to 
compromise it). The various security lists publish a newly found bug and days 
later there is an exploit available and your machine is likely gone there are 
10 or 20 scans of the entire network looking for compromisable machines on any 
given day.

> How did Linux live and thrive before RedHat?  Perhaps the community should 
> revert to the previous model, whatever it was.

	Linux itself is still fine, as Martin noted there are any number of 
distributions. RedHat is just one that used to be very well supported, very
stable and available free (as all of them are technically required to be by
the GPL). Unfortunatly that doesn't pay RedHat's bills and they need a better
revenue stream. The problem as noted is finding a suitable replacement that 
will be as stable and that will support both the cluster and most of our users 
so the support costs can be shared.

Peter Van Epp / Operations and Technical Support