LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

June 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS June 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
From:	Nico Kadel-Garcia <[log in to unmask]>
Reply To:	Nico Kadel-Garcia <[log in to unmask]>
Date:	Fri, 20 Jun 2014 21:09:21 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (51 lines)

Hi, Dag!!

Haven't seen you since that London Linux conference, I'm back in the USA now.

On Fri, Jun 20, 2014 at 5:14 PM, Dag Wieers <[log in to unmask]> wrote:

> Self-criticism (and yes, I feel part of Red Hat's community) is essential.
> And a decision that makes Red Hat weaker, weakens my case as well.

It's also contributing to skepticism from companies and users looking
at RHEL 7 or the clone rebuilds. If we're all stuck rebuilding from
CentOS, not from RHEL signed packages that are verifiably consistent
with what our favorite upstream vendor actually packages and tests,
that's a logical source of security and support concern.

What makes it worse is that HTTPS is not sufficiently secure to verify
the authenticity of original source code, and the git repo itself
could be hijacked by any subtle attacker using any of the unrevoked,
stolen SSL wildcard keys in the wild. That could be a fascinating
security hole for 3rd party vendors who rely on RHEL or CentOS SRPM's
for their source code for or open source based projects. These include
Centrify, that rebundles OpenSSH with various features, and apparently
Cisco for their ASA firewall products.

> With al due respect, but your response to one point of criticism is probably
> why someone at Red Hat (unless maybe high up in the organization) may not
> speak up. It clearly is a management/legal decision and yes, I do believe if
> you are on the payroll, that is exactly what you are not supposed to
> question. Red Hat becoming less Open Source may harm the company's public
> image.

Dag, I beg to differ with you here. My experience with Red Hat
technical personnel on an individual basis is that they will
*question* policies, but that they are quite aware that their voice is
not authoritative and are cautious about saying "this is the way it
is, because I work for Red Hat and that's the policy". They're leave
it to the legal and management personnel, who may also be aware of
things they're not privy to (such as software licensing agreeements
with Sun, back in the day.)

> And since the CentOS board is on Red Hat's payroll as well, I think they are
> in the same boat, unfortunately.

Yeah, I've been urging my clients to switch to Scientific Linux where
possible for a stack of reasons. If we, or our friends on the SL build
team, can work around this, it'll be another reason to switch. The
decision  to switch to pure git based distribution is, currently, rife
with security and implementation issues. That it was done effectively
unannounced, without testing it with the RHEL 7 beta components is a
sign of a problem.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV