Red Hat Bugzilla – Bug 80180
New Red Hat Security/Errata Release policy inadequate
Last modified: 2012-03-29 15:14:15 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003 Description of problem: [I could not find any more suitable package to report this as a bug, as it affects any package...] Red Hat have recently modified their errata/securityfix policy effecitvely cutting down publication of security/other errata to way less than half of the current time span. Taking into account the time one needs to QA a new release (not all software being run is shipped by Red Hat), the remaining useable life time of < 10 months is just not enough to be useful, in about any setting other than a private toy box at home. Yes, I also see the other side, that it currently takes Red Hat an incredibly long time to fix security bugs (just compare how long it took Red Hat to fix the KDE SSL Certificate Chain Vulnerability, where KDE had a patch out the day after publication, another certain big OS vendor shipped a fix a month later, an just recently the Red Hat fixed packages were available. But planned obsoletion at this pace is just a no-go. While I do not hold a support contract or RHN subscription, I do not make any demands. I just respectfully submit you should reconsider this policy which will put you in a competative disadvantage to basically all other operating system vendors around. I have used Red Hat since Version 3.0.3, but me, and any system administrator that I talked to about this and who is using Red Hat Linux now, first asked wheter I was joking, and then resolved, without hesitation, that then, it would be time to move on. Version-Release number of selected component (if applicable): How reproducible: Didn't try Steps to Reproduce: 1.Reload the redhat-announce archive. The message is there, and doesnt change. Actual Results: That announcement is not GPG-Signed, so chances are it is a fake. Unfortunately, the web site also indicates this new policy is for real. Additional info:
We realize that the current policy makes Red Hat Linux difficult to deploy in situations where regular upgrades are undesirable. We also hope you understand that providing these services to large numbers of users (note you mentioned you're not a customer of Red Hat) is quite expensive, and we don't feel like we can provide a high level of service for these products. We have enterprise OS offerings that have long term support services included, and we will be introducing more (such as the workstation product which was announced a couple of weeks ago) at more flexible price points. Hopefully one of those offerings will be a good fit for you and your organization.
I've reported the potential security problem to the vendor, so my duty to the community is done. Any responsibility is now yours (note I did not write 'liability', I know the licenses), and I'll be watching intrusion stats within one years time with interest. Also the next TCO shtudies will be interesting. I can and will keep my systems secure. (Was it you or Bob Young who once said that Open Source protects the investment?) PS: For me, to seriously consider using RHAS, its license needs to change. If I wanted compliance audits and stuff, I'd be using Operating Systems made in Redmond. PPS: I wrote I dont hold a support contract or RHN subscription. This is not equivalent to not being a Red Hat customer.
*** Bug 808140 has been marked as a duplicate of this bug. ***