> > >I am not jumping into this discussion as "the official voice" of Sun >with regards to security updates, our short/long term strategies on >providing patches, etc. I just feel that some sort of commentary from >within is appropriate here as the rumors and accusations are starting to >get a little out of control. This is my only statement, and I will not >be replying to this thread after this one comment. > >Sun Cobalt server appliances (Qube, RaQ) are just that -- appliances. >They are purpose-built, pre-integrated combinations of hardware and >software which deliver a fixed set of services, and are designed to be >operated via the web interface. We did not "lock down" the appliance >like many of our competitors do, so that the end users _are_ able to get >shell access, and _are_ able to make their own modifications if they >desire. But it is unreasonable to expect a manufacturer to support any >random changes made by end users. Will GE support you if you decide to >turn up the wattage in your microwave, or to use another list member's >favorite terminology, would Kenmore still support you if you tweaked >your washing machine motor to add a "superfast" spin cycle? No. >Manufacturers support purpose-built systems "as shipped." While >modifications are not prevented, they are not necessarily encouraged, >and definitely not supported.
It is expected that they would provide security updates in a timely manner to fix security problems within the appliance as shipped. That is not too much to expect. I do understand that there are other venues for addition software that is NOT SUPPORTED by the guys in Europe and that there was a problem with them using a .cobalt.com address and have now moved to another url. I am not asking for support for their packages. I just want support for my little appliance as shipped. Granted without a firewall or other package, the machine doesn't stay online long before being modified by a hacker. There could be a bit more done though. Everyone has been reporting problems with zlib lately. Is it a problem on a Cobalt system? If it is, why has it not been fixed. I am not asking for a fix to ssh. Is there a problem with php as shipped on the system? Why has it not been fixed? Yes, there are fixes to php and ssh on pkgmaster.com, but they are not supported. php was shipped on the system, was it not? I am willing to accept most of your statement, BUT, I am not happy about Sun Cobalt not fixing security problems with the appliance as shipped. If the system is to be shipped as you state as not being "locked down", fine. Spell that out to us on the web site. Tell us it is vulnerable to security problems and that Sun Cobalt will NOT being providing support or updates to fix those vulnerabilities. Tell us that as a browser based GUI a person still needs to know linux to maintain the system in a secure state and that it can NOT be done via the provided GUI. Once that is done, maybe some third party will provide fixes for the Cobalt machines that you refuse to fix. Just like Norton and Central Point used to make enhancements for windows. Now we will have xyz company providing us with fixes for our Cobatl system. Just state something up front and give us the means to take care of our systems. Many of us bought the systems with the understanding that it could be maintained via the GUI. We also were lead to believe that they were somewhat secure. A machine out of the box can be hacked within minutes of being put on line. This is absolutely stupid and personally I think it is probably a liability to Sun. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
