[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Deleting i386 packages



Hey Martin,

I was reading your note and it is not the reality or something that should be done but rather another side to consider when working with software vendors. I do agree that there is a benefit when the sources are open but companies like MS(just as an example) do not just vanish. The above would be said for many other vendors that are committed to the client to support him.
I took an example and I stick with it:
The sysadmin and IT department needs to consider and evaluate what is their relationship with the software vendor and decide. Sometimes they decide to open the source but only in-house due to the demand but it is still unrelated to "dangerous". I agree that if we do not trust the vendor to test and patch it's software then it is a risk and when the sysadmin types "apt-get install tzdata" then he should understand that it will be updated.. and if not he(or somebody) can compile and update the tzdata files.

I have seen more then once that an open source distribution did not updated critical updates and admins was required to run some errands to make the software work. I took tzdata package since it was a very major issue on many systems I have seen.

I still think that an institute small enough to not build it's own OS can asses it's requirements and decide that for example Debian is not for them and they prefer a specific vendor. It's not dangerous and not reckless but a decision which considers what is good for the institute from couple aspects.
Many admins feels safe enough with Windows and not with Debian.
I have couple servers and desktops and I have seen bugs that was not fixed in Debian and the effort it will take from me to fix them will be more then to buy an Hyper-v or Vmware license. So what if they are the only ones that can patch the software? they meet the institute global goals with a good price. is it that bad? no!

I remember that some admin I met showed me what he did to disable the apache server version advertisement. Will it secure the service against some attacks? no, but F5, RADWARE and other companies products will indeed do that and in some cases it's cheaper then patching or upgrading a running system.

So still the argument that it's dangerous is not really an argument.
The state stays exactly the same: there is a risk that needs to be assessed and evaluated like in any software product and like any other chair in the planet.

All The Bests,
Eliezer

On 27/09/2015 11:47, Martin Read wrote:
On 27/09/15 08:06, Eliezer Croitoru wrote:
Like any other job the programmers need money and software authors are
not obligated  to publish their work to be available to all humanity(or
at-least these parts of humanity that are connected to the WWW).
The above is something I think is right and it is right especially for
security and health related software.

Security-related software is very *precisely* the kind that should not
be closed-source proprietary software, because when your security
software is proprietary, only the copyright holder has the right to
publish and distribute a fix for that piece of software when it turns
out to have a vulnerability.

And, of course, on an Internet-connected computer *most* software turns
out to be security-related.



Reply to: