> Darren, > > Thanks for your reply. Are you sure about the openssl though? I don't > pretend to be an expert on openssl,
Oh me neither. :-) > but the following page indicates there > are vulnerabilities in openssl 0.9.7d dating back to 30th September 2004: > > http://www.openssl.org/news/vulnerabilities.html > > I was told by a Solaris admin at work today that certain software such as > ssh and ssl are tied into the solaris 10 OS, so patches for these come as OS > patches which have to be tested more thoroughly, and therefore security > fixes get released slower. My worry would be leaving the hole there, whilst > waiting for the fix. I'm not so concerned with having the latest > functionality. There are an army of patches released continuously. You need to take into consideration the various certifications in Solaris and the fact that its a full blown production UNIX. Its a serious business. The people at Red Hat will tell you the samething about their Linux. Same thing from SUSE and who knows what Microsoft says. :-) All that being said you will see an army of software updates flowing out of Blastwave : http://www.blastwave.org/cronlist/index.html That page updates throughout the day. As an example just take a look at PostgreSQL. By the time Sun announces that they are going to ship it in Solaris you will see that it was built by Blastwave months and months ago. Sun releases a few revs old while Blastwave pumps out the latest. Sun doesn't build it for a 64-bit target while Blastwave does. The rev of Apache is totally up to date and we look at the same sources that everyone else does. We are very aware of the OpenSSL performance problems. ( See ps below. ) Its a real mish mash of how do you want to proceed? You can keep the OpenSSH included in Solaris 10 but you can't get the high encryption ciphers like aes256-cbc. You get that from Blastwave or go with Red Hat and its included. Why? Import and Export restrictions are placed on Sun and they simply cannot ship the high encryption options to embargoed countries. Personally I just use svcadm to disable the Sun shipped OpenSSH and then I go with the packages from Blastwave. Works like a charm. Will you get security update patches from Sun? Absolutely. Will there be a non-stop flow of software updates out of Blastwave? Absolutely. Neither one of those cost you a nickle by the way. > The Redhat Enterprise openssl version is not the same as the product version > so it's difficult to compare, but I'm told Redhat provide the latest > patches. I tried to find something on the net to back this up but without > much time, I was only able to dig up this FAQ: I thought that Red Hat was charging boatloads of money for their RHEL gear? I would expect that they provide you with the latest and greatest as well as some assurance of security updates. The Solaris 10 OS will not cost you a nickle. And yes its superior and I'll stand by that. The software from Blastwave or "build it yourself" will not cost you a nickle either. But if you don't purchase a software support contract for your Solaris 10 box then you're playing with fire. Its sort of a natural and bloody obvious thing to do and it costs .. nickles a day last time I checked. So ... your mileage will vary and you really need to look at all the options. My advice, download Solaris 10 Update 2. Install it. Get a software support contract and smile. If you want Apache 2.2.3 ( latest rev ) or KDE then you can get it from Blastwave. Easy. Dennis ps: We have the exact same source at Blastwave that you will find in the CoolStack ( http://cooltools.sunsource.net/coolstack/index.html ) and we have the same compilers and the same Makefiles etc etc. Just remember that Blastwave builds for Solaris 8 and Solaris 9 and Solaris 10 on both x86 and UltraSparc. End of marketing. :-) _______________________________________________ opensolaris-discuss mailing list [email protected]
