Red Hat Bugzilla – Bug 80180
New Red Hat Security/Errata Release policy inadequate
Last modified: 2012-03-29 15:14:15 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003
Description of problem:
[I could not find any more suitable package to report this as a bug,
as it affects any package...]
Red Hat have recently modified their errata/securityfix policy effecitvely
cutting down publication of security/other errata to
way less than half of the current time span.
Taking into account the time one needs to QA a new release (not all software
being run is shipped by Red Hat), the remaining useable life time of < 10 months
is just not enough to be useful, in about any setting other than a private toy
box at home.
Yes, I also see the other side, that it currently takes Red Hat an
incredibly long time to fix security bugs (just compare how long
it took Red Hat to fix the KDE SSL Certificate Chain Vulnerability,
where KDE had a patch out the day after publication, another certain
big OS vendor shipped a fix a month later, an just recently the
Red Hat fixed packages were available.
But planned obsoletion at this pace is just a no-go.
While I do not hold a support contract or RHN subscription, I do not
make any demands. I just respectfully submit you should reconsider this policy
which will put you in a competative disadvantage to basically all other
operating system vendors around.
I have used Red Hat since Version 3.0.3, but me, and any system
administrator that I talked to about this and who is using Red Hat Linux now,
first asked wheter I was joking, and then resolved, without hesitation, that
then, it would be time to move on.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Reload the redhat-announce archive. The message is there, and doesnt
Actual Results: That announcement is not GPG-Signed, so chances are it is a fake.
Unfortunately, the web site also indicates this new policy is for real.
We realize that the current policy makes Red Hat Linux difficult to deploy in
situations where regular upgrades are undesirable. We also hope you understand
that providing these services to large numbers of users (note you mentioned
you're not a customer of Red Hat) is quite expensive, and we don't feel like we
can provide a high level of service for these products. We have enterprise OS
offerings that have long term support services included, and we will be
introducing more (such as the workstation product which was announced a couple
of weeks ago) at more flexible price points. Hopefully one of those offerings
will be a good fit for you and your organization.
I've reported the potential security problem to the vendor,
so my duty to the community is done. Any responsibility is
now yours (note I did not write 'liability', I know the licenses),
and I'll be watching intrusion stats within one years time with
interest. Also the next TCO shtudies will be interesting.
I can and will keep my systems secure. (Was it you or Bob Young who
once said that Open Source protects the investment?)
PS: For me, to seriously consider using RHAS, its license needs to change.
If I wanted compliance audits and stuff, I'd be using Operating Systems
made in Redmond.
PPS: I wrote I dont hold a support contract or RHN subscription. This
is not equivalent to not being a Red Hat customer.
*** Bug 808140 has been marked as a duplicate of this bug. ***