Bug 80180

Summary: New Red Hat Security/Errata Release policy inadequate
Product: [Retired] Red Hat Linux Reporter: Mario Lorenz <ml>
Component: distributionAssignee: Erik Troan <ewt>
Status: CLOSED NOTABUG QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: lisa.mitchell, mitr, mjc, notting
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-12-23 20:54:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mario Lorenz 2002-12-21 13:52:04 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
[I could not find any more suitable package to report this as a bug,
as it affects any package...]

Red Hat have recently modified their errata/securityfix policy effecitvely
cutting down publication of security/other errata to
way less than half of the current time span.

Taking into account the time one needs to QA a new release (not all software
being run is shipped by Red Hat), the remaining useable life time of < 10 months
is just not enough to be useful, in about any setting other than a private toy
box at home.

Yes, I also see the other side, that it currently takes Red Hat an
incredibly long time to fix security bugs (just compare how long
it took Red Hat to fix the KDE SSL Certificate Chain Vulnerability,
where KDE had a patch out the day after publication, another certain
big OS vendor shipped a fix a month later, an just recently the
Red Hat fixed packages were available.

But planned obsoletion at this pace is just a no-go.

While I do not hold a support contract or RHN subscription, I do not
make any demands. I just respectfully submit you should reconsider this policy
which will put you in a competative disadvantage to basically all other
operating system vendors around.

I have used Red Hat since Version 3.0.3, but me, and any system
administrator that I talked to about this and who is using Red Hat Linux now,
first asked wheter I was joking, and then resolved, without hesitation, that
then, it would be time to move on.



Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:
1.Reload the redhat-announce archive. The message is there, and doesnt
change. 

Actual Results:  That announcement is not GPG-Signed, so chances are it is a fake.
Unfortunately, the web site also indicates this new policy is for real.


Additional info:
Comment 1 Erik Troan 2002-12-23 20:54:57 UTC 
We realize that the current policy makes Red Hat Linux difficult to deploy in
situations where regular upgrades are undesirable. We also hope you understand
that providing these services to large numbers of users (note you mentioned
you're not a customer of Red Hat) is quite expensive, and we don't feel like we
can provide a high level of service for these products. We have enterprise OS
offerings that have long term support services included, and we will be
introducing more (such as the workstation product which was announced a couple
of weeks ago) at more flexible price points. Hopefully one of those offerings
will be a good fit for you and your organization.
Comment 2 Mario Lorenz 2002-12-24 07:54:26 UTC 
I've reported the potential security problem to the vendor,
so my duty to the community is done. Any responsibility is
now yours (note I did not write 'liability', I know the licenses),
and I'll be watching intrusion stats within one years time with
interest. Also the next TCO shtudies will be interesting.

I can and will keep my systems secure. (Was it you or Bob Young who
once said that Open Source protects the investment?)

PS: For me, to seriously consider using RHAS, its license needs to change.
If I wanted compliance audits and stuff, I'd be using Operating Systems
made in Redmond.

PPS: I wrote I dont hold a support contract or RHN subscription. This
is not equivalent to not being a Red Hat customer.
Comment 3 Lisa Mitchell 2012-03-29 19:14:15 UTC 
*** Bug 808140 has been marked as a duplicate of this bug. ***