[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Latest UTB Newsletter

On Fri, 2003-03-14 at 08:25, Mike A. Harris wrote:

> You don't need to.  We do the work for you.  By using Red Hat 
> Linux and other Red Hat products, our name stands for itself.  
> Either you trust our products and trust us, or you don't.  We 
> apply security fixes to software when there are problems and we 
> release erratum.  New OS products will go out the door with those 
> security fixes automatically built-in if the versions of the 
> software in the new product were vulnerable in their stock 
> upstream versions.  That is the way it is done.

I'm in favor of the "trust, but verify" approach. I guess i watched too
many Ronald Reagon speeches as a kid.  But short of providing the source
code so I can actually do my own code audit to verify redhat has patched
the source, I'm not sure anything else Red Hat can do would actually add
anything to the trust value of what Red Hat is offering. Having Red Hat
say "trust us, check our code if you like" is pretty much the same as
having Red Hat say "here look at all the things on this list you have to
trust us that we pack ported, if you aren't going to take the time to do
the code audit yerself." But I guess maybe from a marketing standpoint
the human readable list of packported fixes would warm the hearts and
minds of certain pointed haired people who have purchasing oversight.

> Aside from unnecessarily upgrading to a given new upstream 
> package version which has security fixes upstream, how exactly 
> would you prefer us to indicate that our packages are shipped 
> with security fixes to all known security problems at the time 
> the product was shipped?  I suppose we could put a piece of paper 
> in every box that says "The versions of software included in this 
> OS product contains backported security fixes for every package 
> to which the stock upstream source code contained flaws fixed in 
> newer releases of the software which we chose to backport in 
> order to maximize stability and minimize risk for our customers" 
> however I'm not sure that would end up being a useful piece of 
> paper for anyone.

Maybe a human readable set of webpages that summarize a list of
backported bug fixes for product releases, once you can make it public
knowledge of course, would be a good marketing and FUD fighting weapon?
Shrug...like I said, it doesn't really add much in the way of
trust...since yer still just trusting Red Hat's word that this list of
backports took place, until you do go looking at the source to find the
patches. But from a marketing aspect, to inform people awash in FUD, of
the exactly and precise nature of Red Hat's focus on security in its
releases...well something like this, might prove valuable.


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]