[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RHL 9 - concerns

On Sat, 29 Mar 2003, Mike A. Harris wrote:

> On Wed, 26 Mar 2003, Denice wrote:
{this bit was said by A-J. Ulvestad, not me }
> >> Yes, of course... but I'm whining mostly over the fact that RHL 8.0 comes
> >> out.. we start testing it, we wait for the first erratas to come out so
> >> that it becomes more "mature".. we start porting it.. and within we're
> >> ready to start pumping out workstations or something like that to
> >> customers, there's another major release out so we need to start the
> >> freeking thing again.. and when we've installed and shipped the computer
> >> out, it's gone 9 months.. 3 months later, RedHat will stop making security
> >> fixes, etc.
> >
{this bit was said by denice}
> >Well, as it has been said before, the one year thing is a minimum; they
> >will probably (and almost certainly need to) make at least some security
> >fixes available well beyond a year.  It would be suicidal to stop issuing
> >very important updates for the backbone services that linux is famous for:
> >web, bind, sendmail, etc.   It would be a public relations disaster for
> >Red Hat to NOT provide patches for cases we have seen before -- some
> >destructive worm sweeping across the internet.   So I am going to chose
> >to believe, from all I've read, that certain important security patches will
> >be available over some longer period of time  -- until proved otherwise.

> The dates that are published on the Red Hat web site for product
> "end of life" are indeed the product's currently projected "end
> of life".  After the target dates, no further erratum for
> anything at all, security or otherwise are planned.  These dates 
> are however as indicated, subject to change based on paying 
> customer demand.  If a particular release is very popular, then 
> the dates may be extended.
> In such a case, the dates on the website would most likely be 
> updated to reflect a new date.  However, you should plan your 
> system upgrades based on the dates present on the website at any 
> given time, because those dates are indeed the official end of 
> life dates we are projecting, and "end of life" is defined as 
> "there will be no further software updates after this date".

I'm just being the devil's advocate here..  I have no problem updating
my systems; it's the other kind of system admin. that worries me.
I'm speaking for the biased point of view of supporting *nix-type operating
systems in research and academia for a decade.  The effect of having
absolutely, emphatically NO security errata for anything _other_ than
RH 9 from Red Hat after December scare me a bit.

I know what kind of a panic-fest sets in when certain kinds of security
problems crop up.  An example security alert that caused more than a bit
of uneasiness in this school was the 'slapper worm' last fall.

Facile answers like 'just build your own patch' aren't going to cut it
in some corners of this school.  This answer seems okay to experts on this
mailing list.  But in my experience this level of expertise is sadly lacking
in the trenches, and I mean LACKING.

It isn't clear to me either how academic institutions should proceed
with picking a RH linux support policy, given the choices, and given 
this deadline.  A place like EPFL, for example, has dozens of completely
and TOTALLY independent, sizable linux workgroup installations, many of them
are red hat-based.  The school also has a history of preferring site-license
solutions.  What are other academic and research organizations doing?
Can anyone on this list share with us which of the offerings at:
are suitable for their institution?

It really isn't my problem (any more :-), but I'm curious, and I'll pass
your comments on to Central Computing here.

> <disclaimer> I'm only stating these things in an attempt to 
> clarify any misunderstandings you may have on the definition of 
> "end of life".  My clarifications are not in turn my own personal 
> interpretation of our Red Hat policies, and are not "official".  
> If you require official confirmation of what I've stated above, 
> please contact an official Red Hat representative directly.  I 
> do however recommend against making the assumptions you've made 
> above, as I do not believe your assumptions match up with the 
> described policies on the Red Hat support web pages.
> </disclaimer>


Thanks a lot for responding.  One of the important assets of red hat linux
are the mailing lists.  We know that there are ears listening.  It is one
of the reasons that I'm doing the dog<==>bone thingy here.  I really
don't believe that global computing politics vis-a-vis security
make it easy to stop providing patches after a year, and I just want
to be heard.  I guess I remember just too many damn alerts, and the
subtle and not-so-subtle politics behind much of it.  I can smell
trouble brewing,  and I have a pretty big nose  :O)


denice.deatrich @ epfl.ch, DSC / LTHC-LTHI, E.P.F.L.   PH: +41 (21) 693 76 67
<*> This moment's fortune cookie:
You canna change the laws of physics, Captain; I've got to have thirty minutes!

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]