False claim in RHN Announcement?

Thu, 27 Feb 2003 21:47:38 -0800 

  I just recieved email with the subject "Red Hat Network Announcement" 
which included the following claim:

  - Priority bandwidth during heavy traffic periods.  Paid subscribers have
    immediate access to errata and ISOs, ensuring that their systems are
    kept up to date and always secure.


  Our company evaluated current [1], nrh-up2date [2] and openup [3] to
provide up2date services to one pool of our servers.  While none of the
three programs provide full RHN functionality, they did provide
functionality that we needed that RHN does not provide.  The issue has
been that these servers are running packages made available from the
contrib directory of the Red Hat public ftp site or using RPMs based from
spec files provided from RH PowerTools which we rebuilt.  So rather than
up2date once for Red Hat RPMs and then manually add updates to contrib/our
own RPMs, we do it all with a single up2date which RHN would not allow us
to do.  However, for a small pool of servers with little or no additional
packages, we have continued to use paid RHN accounts.

  The major difference in security responce came about when the update for
CUPS remote root vulnerablity [4] was released.  The pool of servers that
contact our in-house up2date server where upgraded to a non-effected
version of CUPS on December 20th.  There where no complaints or issues
discovered by the users after the upgrade.  To try to avoid any issues of
getting support from Red Hat in the future, the CUPS packages on the paid
RHN accounts where not updated until offical RHN update was provided on
January 9th [5].  Considering the amount of time permitted to pass, I find
the claim offensive that this could be consider ensuring systems are
"always secure."  Does Red Hat have an online defination of "secure" that
RHN adheres to?  What is the maxium time period that a paid account should
expect to pass from the public announcement of a patch to a remote root
vulnerablity and the ensured update?

References:
[1]  http://current.tigris.org/
[2]  http://www.nrh-up2date.org/
[3]  http://openup.colug.net/
[4]  http://www.idefense.com/advisory/12.19.02.txt
[5]  https://rhn.redhat.com/errata/RHSA-2002-295.html



-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to