On Wednesday 22 October 2003 10:47, Bill Rugolsky Jr. wrote: > I never meant to suggest that production machines should be upgraded > willy-nilly. Of course not. Rather, I was countering the idea that > FC1 Test was somehow wildly unstable. Thanks for your response, and your insight. > As to security updates for four years, I understand your reluctance > to use RHEL because of price sensitivity. But Red Hat suffers from > price sensitivity too -- they need to pay people to backport and QA > patches. That involves personnel, equipment, and cycles. I understand this. The part I don't like is the Fear, Uncertainty and Doubt that Red Hat is currently distributing. I called a salesrep a few days ago for information on whether the RHEL packages could be used after the first year (without renewing) or whether they could be used on additional systems. The answer I got was that Enterprise Linux is almost all open source and that I could use the open source parts of it on multiple systems but the license prohibited me from using it on more than one machine so I'd have to compile everything from source. I was also told that I could use updates only on one machine, but not on any other machine. But he had no idea which portions of the product were open source and which weren't, which to me is an attempt to instill FUD. Either a given package is or isn't open source. And if Red Hat won't tell us which pieces of their packages are and which aren't, then as far as I'm concerned, they've infected the whole package. Since they have more money than I do, I'm certainly not going to test them on this, but I believe it. > Hardware > compatibility evolves, and so it is necessary to keep around hardware > that was in the HCL for that release. (E.g., 440GX mobos, sold in > large quantities by VA Linux and others, have broken APIC behavior.) > It may be that others can provide this service for less money. This > issue has been rehashed repeatedly on this list. Yes, but so far no one has come up and offered the service. I won't; it's not our business model. And it doesn't appear to be anyone else's either. > I'd suggest that if $100K/yr to hire someone to do maintenance on > your systems, including patching and backporting, is too high, then > hosting providers like yourself need to pool your resources to hire > folks to do the work or divide it amongst yourselves. Or find other resources. > The Fedora > Project is a natural rendezvous point, and one would assume that with > a bit of coordination, the task of keeping the major server > applications secure could be divided among a relatively small group, > with individuals with expertise in a particular app, say Apache or > MySQL, taking on maintenance of that package. It may very well be. So far no one has stepped up to the plate, but I'm hopeful that will happen. > Patching is occasionally difficult, but the vast majority of security > fixes are simple backports. The greatest difficulties are when (1) > the upstream app is no longer vulnerable, due to extensive changes, > hence there is nothing to backport, and (2) kernel patching, due to > the heavily patched kernels in common use. One of the goals of > Fedora core is to keep the kernel closer to mainline, and that may > help. I never said I faulted what Fedora is doing, and I don't. I just don't see it as filling my needs, or my cleints' needs. And that was the basis of my original response and my followups. > If you (or your customers) want *guarantees* regarding security > updates, it is going to cost you money; there is no simple way around > that. We know that. I was willing (and I still am willing) to pay the $60 annual per system fee for RHN; it was Red Hat who decided to eliminate that model. Interestingly, there is an option. I don't want to take it, but it's there, it's supported, and I may have to take it. It's called FreeBSD. No, I'm not trying to start a war. I'm NOT trying to badmouth Linux or Red Hat, or the Fedora project. I'm merely disappointed that the promise of Linux has so deteriorated as companies who've made millions of dollars on open source software are now attempting to license it at as high a price as M$, and using as an excuse that they became a public corporation so now have to put their profits first. That's my opinion. No flames accepted onlist; if anyone needs to flame me please do it offlist. Thanks. Jeff -- Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA 92517 US Professional Internet Services & Support / Consulting / Colocation Our blists address used on lists is for list email only Phone +1 909 324-9706, or see: "http://www.nobaloney.net/contactus.html"