On 4/20/06, taharka <res00vl8@xxxxxxxxxx> wrote: > Howdy, > > This may be of interest to some on the list ;-) > > Security: Unpatched and Doing Fine? > > by Kristy Westphal I find Kristy's essay pretty ignorant. She makes some untrue statements about Red Hat and Fedora that indicate she's not done a lot of homework and simply wants to get some copy out the door. Here's the relavent section: "Just to prove my point, I took a gander at some patching methods for several different platforms: * Red Hat/SELinux/Fedora — I don't really know what to say here. Patching Red Hat has always been difficult; you had to pay for maintenence even with the operating system was free. Now with the transition to the Enterprise version, you most certainly have to pay for your patches just like other commercial software. * Fedora also has me stymied. I have had a Fedora system for more than a year, and it stopped needing updated about six months ago — not one patch required in more than 6 months. That's enough to make a security person go wiggy. I will give Fedora some credit, though. The Yum tool is an easy and quick way to check the availability and management of update packages (that is, it's quick and easy when the patches are available to install!). " You've never had to pay for patches for Red Hat systems, and Fedora != Red Hat. You still do not have to pay for patches for Enterprise systems. I've been looking for pre-legacy patches for Red Hat 7.3 and Red Hat only offers patches for RHEL (that I'm able to find) and they're free too boot. As for her comments regarding Fedora, of course any Fedora release that you've had for over a year is going to stop being patched because *it is no longer supported*. She's ignorant of the Legacy project, she's ignorant of the Fedora release cycle, and she's not able to figure out why old software might not have patches available. Here's a section that made me chuckle: "Debian — From the Debian FAQ: 'Once the security team receives a notification of an incident, one or more members review it and consider its impact on the stable release of Debian (i.e., if it's vulnerable or not). If our system is vulnerable, we work on a fix for the problem. The package maintainer is contacted as well, if they didn't contact the security team already. Finally, the fix is tested and new packages are prepared, which are then compiled on all stable architectures and uploaded afterwards. After all of that is done, an advisory is published.' Debian can also use the APT tools to help maintain packages. Wow! Hats off to Debian for clearly describing their process! " Hats off to you, Kristy, for showing us that you actually read some documentation of some kind somewhere at some point during your "testing" of various distributions. "Does your brain hurt now? Imagine how I felt while researching this topic. It is exhausting to understand how each operating system manages its patches." Yes, Kristy, my brain hurts now. I'm glad, however, that you're obviously wide awake. ;-) -- Chris "I trust the Democrats to take away my money, which I can afford. I trust the Republicans to take away my freedom, which I cannot."
