Title: Opensolaris releases unsecure by default, or: Why are Opensolaris stable 2009.06 users forced to pay for security updates?
*Problem: Users installing 2009.06 Opensolaris release from free CD/ISO are under impression that they will recieve updates like on every other operating system. They are wrong. Sun is not giving security updates on Opensolars system (access to support repository that includes them) to anyone but those who payed Sun for support contract.. Inprint on CD states: "LIVE CD. Keep your software current, register at www.opensolaris.com/register" Obviously even statement printed on CD is false, users will never be able to apply security fixes and update their 2009.06 without paying. (unless chasing Develpment release forever is considered staying current) *Result: Users that want secure boxes with Opensolaris have 3 possibilities: 1. To believe to Sun statement printed on CD that they are actually updated without access to support security packages and to stay on 2009.06 untill next release (therefore stay with unsecure opensolaris install whole year) 2. To update their fresh-installed 2009.06 to newest development release, (/dev repository) right after installing, So it denies actual meaning to even releasing 2009.06 when only development release could be used for free and patched. (therefore running unstable develpment opensolaris system) 3. To pay to Sun unwanted support contracts just to get security update packages. (Requires paying for something all other OS`es give for free, even commercial ones) So from my perspective, Sun is keeping secret this "unable to update without paying" thing. I believe that not allowing to new users of Opensolaris to update to secure state, conflicts with a motivation to give away free Cd`s in the first place. Also I think that new users should not be lied in the first misleading on-CD statement that they could keep their software current by simply registering. *Proposed solution: Stay on the right track with sincere efforts to allow widespread of Opensolaris platform. Allow users to actually use Opensolaris in secure way, by allowing access to All users to security repository that will bring security patched packages with no need for paying for security packages (As for release) and no need to sign and pay unwanted support contract. *If not done: If that is not done, Opensolaris free CD`s and Opensolaris ISO releases could be looked at as simply a way to sell support contracts and as media for Development release upgrade. And not as a stable solution for new users to migrate to. Also new adopters could be thinking that inability to stay secure renders conclusion of " do not use that". Not to mention repercussions of thinking that someone is being insincere to users. Opensolaris releases could be look at as not releases but as insecure development snapshots without security repository. *Proposed action: Release security repository (Publisher) for 2009.06 Opensolaris release that would include security-patched packages that are now only in `support` repository and do it so all people could actually use Opensolaris in secure way in production environments. *Benefits: By aligning Opensolaris released version security practices with all the rest of free Opensource released products, Opensolaris can count on widespread of use and wider application support. Users need stable platform with well-defined releases, even for personal use, onwards. People and companies would port their packages and use platform in their solutions IF they have stable and security-backed release. There will be more repositories targeting released Opensolaris version One thing that can not be done with always-chaising development release. Therefore, software porters could rely ons table platform. After growing application support user base will grow exponentionally. _______________________________________________ opensolaris-help mailing list opensolaris-help@opensolaris.org
