On Thu, 26 Nov 2009 12:45:15 +0100 "Nikola M." <minikola at gmail.com> wrote: > Requirement of payment for security updates for free software should be > told to people , > so they know what to expect in production.
You found out about it, so clearly people are being told. If some OS feature is crucial to either production use of that OS or exiting from such, then it behooves the person evaluating the OS for production use to check on those features, and then fail that OS if they are missing. > I can not in clear conscience give people free Cd`s and tell them that > Opensolaris is for free and after that they realize they use insecure > software, they must pay for security? This implies that there's actually such a thing as "secure" software to begin with. The best you can hope for is software with no known security problems. > Updates are there and availble, BUT users are disabled of accessing it.. > All operating systems in the world have free security patches BUT > Opensolaris release versions. False. Neither DragonFly BSD nor Gentoo Linux provide either security-only or security+bugfix patch streams. I'm sure there are others out there as well, but I don't really have time (or hardware!) to investigate "All operating systems in the world". People coming from Linux seem to expect that OpenSolaris will have all the features that their favorite Linux distro has. This is obviously naive when you consider that Solaris went open source five years ago, whereas the Linux and BSD distributions are over 15 years old. So not surprisingly, there are *major* holes in the OpenSolaris distributions when compared to those more mature distributions. In particular, you might investigate how many of those distributions had some flavor of security patch stream when they were only 5 years old. At the time, I was using the most popular BSD distribution, and they were in even worse shape than OpenSolaris is now. > I just think it not very good way to make platform widespread and more > used by not telling people that Opensolaris platform is insecure and > that it will stay like that because Sun says so. Sun isn't the only one with a say in this. First, I'd like to point out that it's not at *all* clear that the paid OpenSolaris support group is in any way affiliated with the OpenSolaris distributions (other than both being part of Sun). It's not at all uncommon for developers working on open software projects to offer paid support outside the project. That was pretty much what Cygnus did (until they got bought by Red Hat). Once you have such a group, if the OS you're supporting doesn't have a security patch stream, that's an obvious service to offer. Nuts, even if their is such a patch stream, vetting it and providing customer notifications and is still a worthwhile service. Given that, you should be able to guess what's I'm going say next. If you really feel that OpenSolaris needs a free security patch stream, nothing prevents you from providing it. Get the last release sources, build a package repository from it (IIUC, that will reveal some other holes in the OpenSolaris distribution feature set...), and then cherry pick the security patches from dev group to update it with. If you're not willing to do that, then you can say that the OpenSolaris platform is insecure and that it will stay like that because YOU say so. > Further more, People wanting to develop and release new software on > Opensolaris platform, need stable and security-patched platform with > predictive release cycle. False again. The lack of that hasn't stopped people from developing and releasing new software for OS's that don't have that, and it didn't stop them from doing so before that was a common feature in open source OSs. In fact, the common situation was even worse than that. Someone needing a stable production environment would develop cool features for the stable OS branch and release patches. Which wouldn't apply to the development branch, so they wouldn't be rolled into the main distribution, and often eventually just got lost. > What should I port new applications to? To /dev version, sure. This conundrum exists for pretty much all the open source OS's (it doesn't exist for the closed source ones, because in general you don't have access to the dev version). OpenSolaris is actually *better* than most of the alternatives, because it's development branch gets cut into a release close to every six months. For the alternatives, the "development" branch gets further and further from the stable branch until they do a major upgrade, which happens on a scale of *years*. For example, the Linux kernel adopted that model with 2.0, and the development branches (2.1, 2.3, 2.5) rolled into release with 2.2 (early 1999), 2.4 (early 2001), and 2.6 (late 2003). > But what is with stable release (that people should use, anyway). Depends on their requirements. I think the OpenSolaris releases can be made suitable secure for desktop use (i.e. - behind a NAT firewall of some sort) if you're careful with your Internet tools. Then again, I'm a paranoid SOB, and never trust the OS to be secure anyway. OpenSolaris actually makes things a bit easier than most, in that it provides the ability to put my internet tools in a Zone I can reach into, but they can't reach out of. > Should I port software to stable release (even for future one) with no > secure platform to start with? Up to you. <mike -- Mike Meyer <mwm at mired.org> http://www.mired.org/consulting.html Independent Network/Unix/Perforce consultant, email for more information. O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
