[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian as Software Appliance

On Sat, 17 Sep 2011 15:53:04 +0800
Paul Wise <pabs@debian.org> wrote:

> On Fri, Sep 16, 2011 at 4:39 AM, zferentz wrote:
> > My company considering to ship our (commercial) product on top of a
> > Linux software appliance . One of the suggestions was to use Linux
> > Debian as a core .
> > My questions are pretty basic :
> Others have answered this, but I would like to point out that security
> is often neglected in software appliances so I hope you:
> Allow your users to perform security updates on their instance.
> Notify your users when their instance needs a security update.
> Notify your users when their appliance no longer has security support.
> Allow your users to upgrade their instance to a newer version of
> Debian that has security support.

Just one little proviso on that: Plenty of devices which could use
Debian and many that already do use Debian provide absolutely no
connectivity outside the device and most of those are single-user
machines. Some producers will offer upgrades of the software running on
top of Debian and, where relevant, upgrade the Debian packages at that
time, but this will be a return-to-base warranty / upgrade action based
on marketing and service contracts and may involve replacing bits of
hardware too. (i.e. their software + Debian is an integrated solution
and updates to Debian would need extensive testing. Yes, Debian tries
v.hard to prevent security fixes breaking previous behaviour but these
devices may also need to be supported long after Debian has dropped
those versions as oldstable. 7 years is not uncommon - and that's
starting with Debian stable.

Emdebian has had plenty of requests and queries about providing static
installations which lack apt and dpkg binaries precisely because it is
impossible to upgrade the installed software without replacing it
entirely. The device will never see a network or external storage and
the only upgrade method involves JTAG and RS232. Sometimes there is a
read-only filesystem underneath too.

We may think of "software appliances" as having WiFi or similar but it
isn't necessarily the case. Even if the hardware supports it, the
connectors may not be accessible without opening the case, at which
point "warranty void", game over etc., you know the rest.

Debian quite often gets onto devices which look nothing like a PC,
server or phone. Fully integrated devices with no external connections
at all (with possible exception of replaceable battery packs).

Yes, the Debian software is free software - that doesn't mean that it's
helpful to make the Debian packages upgradable by the user of specific
devices, especially (as with the original query) when the Debian
software is not actually visible to the user but supporting a heavily
customised, proprietary, interface from power on to halt.

It is always worth reminding people about security though, who knows
what hardware upgrades someone will specify for version2 of such


Neil Williams

Attachment: pgpUAPAu6pqCv.pgp
Description: PGP signature

Reply to: