[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Nomination question: Redhat

Just comments to Joseph in here, the rest is in another mail.

Previously Joseph Carter wrote:
> This shows their development strategy is build it first and fast, then
> secure it. This is bad and I can't safely rely on that sort of
> development to be secure.

Our big advantage is that our userbase is seems more educated and/or vocal
in this respect. Most of the times we get our security alerts from others
(bugtraq, bugreports, etc.). Also since a lot of people use our unstable tree
these problems tend to get fixed before a release is made. But we still
have our problems and fiascos in this respect (think netenv and fte). So
far we have caught the really big ones before a release, but since Debian
continues to grow and the Security Team can't audit each package this can
change in the future.

> In an open security model, the best way to get a problem fixed is to make
> the problem well known.

I have never seen RH keeping something secret. In fact as far as I know all
security problems are fixed in an open way, and the different Linux vendors
share security information and discuss possible problems quite frequently.
> Obviously, I wish they would adopt a more open development model which has
> the system as secure as it can be throughout their development. 

They are doing that now by making frequent snapshot releases available,
something like our unstable tree.

> > How can we work better with them?
[.. snip snip ..] 
> I also believe we could and should work with Redhat with big projects
> such as a sane installation and configuration for X.

So far it seems all distributions stick to their own installation procedures
and very little cross-fertilizing is being done. Funnily enough I heard
Erik Troan say during SANE that RH is going to work on their own
configuration management system, and I've mailed him a while ago to see if
we can work together on aspects of this (I've yet to hear anything from
him). That might be a nice testcase to see if we can work together on
other projects in the future. Please note that we have to be very carefull
in common projects not to loose sight of our own needs: reducing work
is fine, but we should not end up with a result that is less then optimal.


This combination of bytes forms a message written to you by Wichert Akkerman.
E-Mail: wakkerma@cs.leidenuniv.nl
WWW: http://www.wi.leidenuniv.nl/~wichert/

Attachment: pgp4YmzVHAFvr.pgp
Description: PGP signature

Reply to: