On Wednesday 09 April 2014 06:38:38 Jamie Duncan wrote:
> I don't know what you mean by 'commercial OS'.
> 
> Let me rewind a little and make sure I'm completely clear in the point I
> was trying to make. I blame the horrid hotel room I'm in right now for any
> confusion.
> 
> I mostly work in the government space these days. Certifications like
> Common Criteria, FIPS, FISMA, et al include not only the bits but the build
> environments/processes/etc. as well. They are time-consuming, expensive and
> the RHEL certifications for these standards don't apply to
> SL/CentOS/OEL/foo.

Just to follow on that, the standards don't apply to the source in this case, 
they apply to the binaries, which starts with the source, follows through a 
verified build environment and on to signed binaries (and how they are signed, 
and how those keys are handled, as well). Its a major pain, which is why the 
OpenSSL project's FIPS efforts are all sub-projects, getting FIPS binaries out 
is a pita worth a project all its own (and is *really* expensive, which is why 
only certain parts are FIPS certified).

To understand a part of why the source isn't the main issue, review the 
classic "Trusting Trust" (AKA "Mother of all Security Fears") by Ken Thompson 
-- yes, *that* Ken Thompson.
http://cm.bell-labs.com/who/ken/trust.html

That said, Thompson's paper will also demonstrates why this isn't enough for 
complete security, but its the best a large organization can do...