Go Back   The Scream! > COMPUTER RELATED > Linux

Reply
 
Thread Tools Display Modes
  #1  
Old 17-February-2003, 11:35
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default New Linux support policies are ominous

from http://www.securityfocus.com/columnists/142

Red Hat and Mandrake are cutting support for older versions of their Linux distributions... The results will be a security nightmare for the Internet.
By Jon Lasser Feb 12, 2003

Open source opponents have for years warned, "You get what you pay for."

Now some Linux distributors are planning to make good on that threat. Red Hat and Mandrake's recently-announced revised support policies might spell the end of the free ride for many companies using Linux.

The policies are straightforward: Red Hat will support their regular distributions for twelve months from initial release. Red Hat's venerable version 6.2 will be retired on March 31st along with version 7.0. Versions 7.1 through 8.0 will expire on December 31st. After the expiration date, security patches will be provided at Red Hat's discretion only.

Mandrake's new policy is similar, though a little more confusing: Mandrake will support "desktop components" of any new distribution for twelve months, and they'll support "base" components, including the kernel and Apache, for eighteen months. Which category the other packages fall into remains to be seen.

Mandrake 7.2 and 8.0's desktop components are immediately unsupported, while their base components will be supported until March 31st. Mandrake will drop support for 8.1, both desktop and base packages, as of March 31st as well. Version 9.0's end-of-life dates are September 30th and March 31st of next year.

How you interpret these announcements depends on what hats you wear: I didn't know whether I should, laugh, cry, or cheer. As a systems administrator, my first reaction was definitely to cry.

Vendor-provided security patches are, unfortunately, the lifeblood of distribution support. Without well-integrated and well-tested patches, maintaining a Unix server takes a lot more work: you have to track every installed package on your system and rebuild necessary subsystems whenever a patch is released.

Though users of commercial Unix distributions have been doing this for years, users attracted to Linux's relative ease of use and maintenance frequently don't have the technical skills to keep up while not falling behind on other important tasks. Without these vendor-provided patches, most Linux users -- and even many professional system administrators -- will have trouble keeping their systems safe.

Twelve or eighteen months is nothing in the life of a production server. In many shops it can take more than six months to certify an application for use. In such an environment the install-test-release cycle would be constant. Furthermore, servers are often hard to update: permissible downtimes may be rare, and co-located servers are even more difficult to handle.

Two Weeks Notice
On the bright side, at least Red Hat and Mandrake have policies that will allow me to plan, or to make other arrangements. I still have a bad taste in my mouth from the Debian 2.1 support debacle. On September 14th, 2000, the Debian project announced that, as of September 30th, support for Debian 2.1 would be dropped entirely.

Two weeks notice is simply not enough time to do even minimal testing before updating a production server doing anything more complicated than serving static Web pages. Furthermore, Debian 2.2 had been released on August 14th -- only one month earlier.

I know that Red Hat and Mandrake have important reasons to limit support for older operating systems: first, open-source software has an unfortunate tendency to live forever -- many users are still relying on versions of Red Hat even older than 6.2, and supporting these primordial distributions is expensive. The QA and build machines need to be supported, and developers must be diverted from more forward-looking tasks. Given that Linux distributors make little money supporting these older releases, dropping patches must seem like a no-brainer from their point of view.

And to their credit, both companies have different rules for "server-class" products: Red Hat will support their Advanced Server for five years, and Mandrake's policy states that server software will be supported for "no less than twenty-four months." Red Hat and Mandrake are clearly banking on support contracts and installations of their advanced server products to generate revenue.

It's not unreasonable to expect people who want commercial quality support to pay for it.

But as an advocate for better computer security, I'm nearly panic-stricken over this move. In the short term, at least, this will be a big negative for practical security on the Internet. Old software doesn't go away just because it's no longer supported, and with network operating systems the consequences could be drastic. Those systems will be sitting ducks for vulnerability scanners, and the size of distributed denial-of-service networks may grow exponentially as a result.

Silver Lining?
After all, many users have come to rely on the auto-update mechanisms provided by vendors, such as Red Hat's up2date tool. When Red Hat's support for 7.3 goes away, tens of thousands of users will have no automated way to apply third-party security patches to the base OS.

As an open-source advocate, I must say this problem is also an opportunity.

We have a large base of commonly used open source applications, and we now have to develop support mechanisms that do not rely on a single commercial vendor. Although up2date is closely tied to Red Hat's proprietary Red Hat Network support offering, an up2date server clone is under development. Its feature set is rather limited at present, but Red Hat's new support policy will undoubtedly drive many users to run their own patch servers.

Another tool that could be used is Connectiva's port of Debian's apt package management front-end to Red Hat's RPM format. Running an apt repository is not difficult and provides an excellent mechanism for continued security updates.

All that is necessary is continued community support for the orphaned distributions, in the form of well-managed projects that follow security updates for core OS components, and then build and extensively test new packages on the target platform.

If you think that this sounds like an opportunity for third-party support vendors, you're right about that, too. I suspect that Tummy.com's KRUD distribution which provides monthly updates to a Red Hat-based system, will gain quite a number of customers. I know of at least one other vendor who is considering a Red Hat support offering including packages for older Red Hat versions.

Open source proponents have long claimed that our community can provide better support than any commercial vendor can. Now we'll have to prove it.
Check the original story if interested as it has links in the text, it sounds like a pain to have to update my redhat box to a newer version of redhat to keep it supported but I guess m$ do the same.. support time could be a little longer than 12 months tho..

Sil
Reply With Quote
  #2  
Old 17-February-2003, 12:38
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

from http://www.redhat.com/apps/support/errata/

Code:
Red Hat Linux -- Beginning with the 8.0 release, Red Hat will
provide errata maintenance for at least 12 months from the date
of initial release. At certain times, Red Hat may extend errata
maintenance for certain popular releases of the operating
system. End of Life dates for errata maintenance for currently
supported products are listed below:
   
  
  Red Hat Linux 8.0 (Psyche)           December 31, 2003   
  Red Hat Linux 7.3 (Valhalla)         December 31, 2003   
  Red Hat Linux 7.2 (Enigma)           December 31, 2003   
  Red Hat Linux 7.1 (Seawolf)          December 31, 2003   
  Red Hat Linux 7.0 (Guinness)         March 31, 2003   
  Red Hat Linux 6.2 (Zoot)             March 31, 2003
my 7.3 has until xmas then,, at the moment...

Sil
Reply With Quote
  #3  
Old 17-February-2003, 12:59
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default

at least there is plenty of warning.

hmm good job I'm running mandrake 9 on one of my servers.

~Mem
Reply With Quote
  #4  
Old 17-February-2003, 14:44
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

I'm hopeing they will extend the deadline on 7.3, as it's one of the popular releases...

Sil
Reply With Quote
  #5  
Old 24-April-2003, 14:04
Ian's Avatar
Ian Ian is offline
 
Join Date: Apr 2001
Location: Down South
Posts: 3,266
Default

Run http://www.gentoo.org instead, all the updates are compiled from source, so the version you install now, will still update in years to come. (you arent limited to only using updates for specific versions)

plus because adding new versions of software in most cases involves just changing the ebuild file, new software updates appear amazingly quickly (kde 3.1.1 is available now, mandrake 9.1 is only on kde 3.1)

installing it is the only tricky bit (no graphic installer), but there are good docs on the gentoo site, a huge forum and a very active mailing list or 2.

updating packages is as easy as:

emerge rsync <- to update the package database
emerge -up world <- shows you what packages and dependencies are available
emerge -u packagename <- update packagename
emerge -u world <- update all packages

updating most packages take no more than a few minutes or so (excluding download time) kde, gnome, xfree86, glibc, gcc all take considerably longer, but you dont often need to update these unless you want to.

another benefit is that you can choose the compiler cpu version, most binary distributions are built for pentium (586) if you have a P2/P3/athlon/P4 you are missing out on specific optimisations.

umm, anyway its great
Reply With Quote
  #6  
Old 13-June-2003, 23:48
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

have been reading through the gentoo site with interest, looks like a real 'enthusiasts linux' ?

I might give it a spin at some point soon, slightly apprehensive, looking at kernel options is enough to do my head in

Sil
Reply With Quote
  #7  
Old 04-November-2003, 10:52
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

more

Thank you for being a Red Hat Network customer.

This e-mail provides you with important information about the upcoming
discontinuation of Red Hat Linux, and resources to assist you with your
migration to another Red Hat solution.

As previously communicated, Red Hat will discontinue maintenance and
errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December
31, 2003. Red Hat will discontinue maintenance and errata support for
Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to release
another product in the Red Hat Linux line.

With the recent announcement of Red Hat Enterprise Linux v.3, you'll
find migrating to Enterprise Linux appealing. We understand
that transitioning to another Red Hat solution requires careful planning
and implementation. We have created a migration plan for Red Hat Network
customers to help make the transition as simple and seamless as
possible. Details:

****************
If you purchase Red Hat Enterprise Linux WS or ES Basic before February
28, 2004, you will receive 50% off the price for two years.[*] (That's two
years for the price of one.)

****************
In addition, we have created a Red Hat Linux Migration Resource Center
to address your migration planning and other questions, such as:

* What are best practices for implementing the migration to Red Hat
Enterprise Linux?

* Are there other migration alternatives?

* How do I purchase Red Hat Enterprise Linux WS or ES Basic at the price
above?

* What if my paid subscription to RHN extends past April 30, 2004?

****************

Find out more about your migration options with product comparisons,
whitepapers and documentation at the Red Hat Linux Migration Resource
Center:

http://www.redhat.com/solutions/migration/rhl/rhn


Or read the FAQ written especially for Red Hat Network customers:

https://rhn.redhat.com/help/rhlmigrationfaq/

Sincerely,

Red Hat, Inc.

[*] Limit 10 units. Higher volume purchase inquiries should contact a
regional Red Hat sales representative. Contact numbers available at
http://www.redhat.com/solutions/migration/rhl/rhn

--the Red Hat Network Team
humm, am not very impressed..

the thing I like abt redhat is that they email you when there's an exploit out for one of the packages you have installed,. so you know what an update is for and why you should download it,.

Sil
Reply With Quote
  #8  
Old 08-January-2004, 21:54
hardline
Guest
 
Posts: n/a
Thumbs up Support for Redhat

MyUpdates(myupdates.gchsonline.com) is offering support for redhat 7.2 through redhat 9.0. I took a look at the site a little bit ago, and was so relieved that someone is going to continue to support redhat outside of the fedora project. Afterall, fedora has made it clear that packages may be removed at any time if they think the repair of them will hinder the scope of the project. At least these guys are putting some commitment into it.
Reply With Quote
  #9  
Old 08-January-2004, 23:54
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

cool

thanks for the heads-up and welcome to TS!

Sil
Reply With Quote
  #10  
Old 09-January-2004, 19:17
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

well - it's not free,,.

Our repositories will be maintained up to date by our developers, including bug/vulnerability fixes in as timely a manner as possible. Along with access to our repositories via ftp, we also offer the ability to connect to the repositories via YUM, an automated package installer for linux. We offer two subscriptions to our repositories: a one month subscription for $10.00 or a one year subscription for $60.00. For more information, click here.
am messing with gentoo as a backup for when redhat pulls the plug totally,.. (unless I can get a RH advanced server license from somewhere!)

Sil
Reply With Quote
  #11  
Old 14-January-2004, 23:58
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

well - it's all over then,.

Dear Red Hat Linux 7.1, 7.2, 7.3 and 8.0 customers,

In accordance with our errata support policy, the Red Hat Linux 7.1,
7.2, 7.3 and 8.0 distributions have now reached their errata maintenance
end-of-life.

This means that we will no longer be producing security, bugfix, or
enhancement updates for these products. Red Hat Linux 9 reaches end
of life on April 30, 2004.

As our product family grows and expands, we want to help you
migrate to the Red Hat solution that is right for you. Whether that's
one of our Red Hat Enterprise Linux products or the Fedora Project, our
Red Hat Linux Migration Resource Center can help you find the Red Hat
solution best suited for your needs:

http://www.redhat.com/solutions/migration/rhl/

The errata support policy, as well as our current errata and advisories,
are available from:

http://www.redhat.com/apps/support/errata/

--the Red Hat Network Team
have to suss out that freeola thing..

Sil
Reply With Quote
Reply

Tags
bad, computer, credit, email, feature, forward, free, guinness, internet, line, mail, make, network, offer, product, security, software, volume, web, xmas

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 07:54.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!