Bug 80180 - New Red Hat Security/Errata Release policy inadequate
New Red Hat Security/Errata Release policy inadequate
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: distribution (Show other bugs)
8.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Erik Troan
Brock Organ
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-21 08:52 EST by Mario Lorenz
Modified: 2012-03-29 15:14 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-12-23 15:54:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mario Lorenz 2002-12-21 08:52:04 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
[I could not find any more suitable package to report this as a bug,
as it affects any package...]

Red Hat have recently modified their errata/securityfix policy effecitvely
cutting down publication of security/other errata to
way less than half of the current time span.

Taking into account the time one needs to QA a new release (not all software
being run is shipped by Red Hat), the remaining useable life time of < 10 months
is just not enough to be useful, in about any setting other than a private toy
box at home.

Yes, I also see the other side, that it currently takes Red Hat an
incredibly long time to fix security bugs (just compare how long
it took Red Hat to fix the KDE SSL Certificate Chain Vulnerability,
where KDE had a patch out the day after publication, another certain
big OS vendor shipped a fix a month later, an just recently the
Red Hat fixed packages were available.

But planned obsoletion at this pace is just a no-go.

While I do not hold a support contract or RHN subscription, I do not
make any demands. I just respectfully submit you should reconsider this policy
which will put you in a competative disadvantage to basically all other
operating system vendors around.

I have used Red Hat since Version 3.0.3, but me, and any system
administrator that I talked to about this and who is using Red Hat Linux now,
first asked wheter I was joking, and then resolved, without hesitation, that
then, it would be time to move on.



Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:
1.Reload the redhat-announce archive. The message is there, and doesnt
change. 

Actual Results:  That announcement is not GPG-Signed, so chances are it is a fake.
Unfortunately, the web site also indicates this new policy is for real.


Additional info:
Comment 1 Erik Troan 2002-12-23 15:54:57 EST
We realize that the current policy makes Red Hat Linux difficult to deploy in
situations where regular upgrades are undesirable. We also hope you understand
that providing these services to large numbers of users (note you mentioned
you're not a customer of Red Hat) is quite expensive, and we don't feel like we
can provide a high level of service for these products. We have enterprise OS
offerings that have long term support services included, and we will be
introducing more (such as the workstation product which was announced a couple
of weeks ago) at more flexible price points. Hopefully one of those offerings
will be a good fit for you and your organization.
Comment 2 Mario Lorenz 2002-12-24 02:54:26 EST
I've reported the potential security problem to the vendor,
so my duty to the community is done. Any responsibility is
now yours (note I did not write 'liability', I know the licenses),
and I'll be watching intrusion stats within one years time with
interest. Also the next TCO shtudies will be interesting.

I can and will keep my systems secure. (Was it you or Bob Young who
once said that Open Source protects the investment?)

PS: For me, to seriously consider using RHAS, its license needs to change.
If I wanted compliance audits and stuff, I'd be using Operating Systems
made in Redmond.

PPS: I wrote I dont hold a support contract or RHN subscription. This
is not equivalent to not being a Red Hat customer.
Comment 3 Lisa Mitchell 2012-03-29 15:14:15 EDT
*** Bug 808140 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.