[LINK] OSS means slower patches

Craig Sanders cas at taz.net.au
Tue Sep 20 18:18:21 EST 2005 

On Tue, Sep 20, 2005 at 04:56:10PM +0930, Glen Turner wrote:
> Howard Lowndes wrote:
> > Glen, what's your implication by that remark. I'm interested because
> > I use FC. If you're saying that they roll out versions to rapidly
> > then I would probably agree (FC5 is due in a couple of months),
> > or is it because FC1 & FC2 have been abandoned. I have found that
> > the upgrade process from FC3 to FC4 is reasonably seamless, though
> > painfully slow.
>
> The implication is that you've got machines out there that haven't
> been upgraded (which is a manual process), are not being automatically
> patched (since the source of automated patching isn't making new
> patches available), but are still connected to the Internet. Give
> those machines time and they will be hacked.
>
> I'd have thought that Red Hat could have easily put in a cron job
> which shuts down the Internet-facing interface of a machine which is
> running past the expected expiry date of patch support.

you're assuming that they know several years in advance when that expiry
date is going to be....that they'll know exactly when they'll stop
supporting it when they first release it.

that's unreasonable to expect of any software distributor, especially
one that focues on FOSS.

worse, you're expecting them to put up with the torrents of abuse they
would get if they did do as you suggest and make it cripple itself at
some future date.

that's even more unreasonable to expect.



in any case, what's the drama?  it's trivial to upgrade to the latest FC.
if you want to keep it up-to-date then upgrade.  problem solved.

(and if you don't want to expend the effort to keep it up-to-date, then
no amount of extending the support deadline or disabling cron jobs will
help. your system is a security disaster waiting to happen no matter
what).

to summarise a long and boring rant, systems security is a SHARED
responsibility between the distributor/manufacturer and the user (and/or
their sysadmin). the user can't just say "it's not my problem" - because
it IS their problem whether they like it or not. the distributor has
the reponsibility of shipping a reasonably secure product, and the user
has the reponsibility of keeping it up-to-date with the latest security
patches.


> If third parties want to extend support they can easily increase
> the date (say in "/etc/redhat-expiry") to a value they think is
> reasonable, as can users which want to take the risk of running an
> unsupported OS (say by "chkconfig redhat-expiry off").

well, Fedora is a "third party" thing for RH, anyway. it's not their
core-product, it's a spin-off not even really managed by them. it's what
they did with the free version of their distribution rather than simply
abandon their freebie users.



BTW, i'm not a RedHat user, and don't particularly like the RH distro (i
use Debian almost exclusively), but i don't see anything wrong with how
RH handled Fedora and their freebie users when they decided to focus on
their commercial "Enterprise" stuff.


craig

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)

More information about the Link mailing list