Mike Meyer wrote: > On Thu, 26 Nov 2009 12:45:15 +0100 > "Nikola M." <minikola at gmail.com> wrote: > >> Requirement of payment for security updates for free software should be >> told to people , >> so they know what to expect in production. >> > > You found out about it, so clearly people are being told. If some OS > feature is crucial to either production use of that OS or exiting from > such, then it behooves the person evaluating the OS for production use > to check on those features, and then fail that OS if they are missing. > > First of all,thank you Mike, on very quality response. I hope I will keep with your explanations and also thank you for actually non-confronting and clever writing.(Also note English is not my primary language)
Let me be clear with my position on Opensolaris. I am supporter of it and I very much advocate its use. I am spending my time and giving it to people, hoping to have more development-competent people to join and contribute. With wide spreading it and giving education to people, I hope I make it better positioned in bussines world, to make it less overwhelmed with close-minded Winblows administrators and ?solution? producers. I realized that I will not get security patches only after several months of use. Now I truly do not know what to do. (Not for me, I am on /dev, but for other people) I was telling people all around that they will get updates after registration. (And that is what is printed on &*^@ CD) I truely do not know how to advocate Opensolaris now. New user will install release version. (New users coming from Windows or GNU/Linux) And I need to say to them that: "Btw, there you are, now download new 600 MB or so and use /dev release"...and contribute however you can.. ?Also, Btw.. your contribution will be used to sell support and you will Never get Stable Opensolaris, you can actually use. Only dev..? (Opensolaris <> Closed Solaris) >> I can not in clear conscience give people free Cd`s and tell them that >> Opensolaris is for free and after that they realize they use insecure >> software, they must pay for security? >> > > This implies that there's actually such a thing as "secure" software > to begin with. The best you can hope for is software with no known > security problems. > > Closest to it are security patches for stable release. Eather way, that is only sane way to provide any kind of support. Even community one. - "Please state the nature of release you use" (to paraphrase the Doctor from Star trek Voyager) ;) >> Updates are there and availble, BUT users are disabled of accessing it.. >> All operating systems in the world have free security patches BUT >> Opensolaris release versions. >> > > False. Neither DragonFly BSD nor Gentoo Linux provide either > security-only or security+bugfix patch streams. I'm sure there are > others out there as well, but I don't really have time (or hardware!) > to investigate "All operating systems in the world". > Any normal, production-worth OS, that you can rely on, put your business on it and pay for support with confidence in it. That is what is ment under every OS. And almost all OS`es available today do that. > People coming from Linux seem to expect that OpenSolaris will have all > the features that their favorite Linux distro has. This is obviously > No I expect that after some years not only have same futures, but better futures and more advanced, also. Aspiring to anything less in not worthwile ;) > naive when you consider that Solaris went open source five years ago, > whereas the Linux and BSD distributions are over 15 years old. So not > It is true . Things are fresh. let`s make them better while they are not cooled down yet. > surprisingly, there are *major* holes in the OpenSolaris distributions > when compared to those more mature distributions. In particular, you > might investigate how many of those distributions had some flavor of > security patch stream when they were only 5 years old. At the time, I > was using the most popular BSD distribution, and they were in even > worse shape than OpenSolaris is now. > Nice for you. But I don`t think Linus or Stallman required payements for security in the system. (Sorry for inaccurate comparation but..) If they did such thing in 1996 , I don`t think we will be like where we are today. Also, consider GNU/Linuxis vx Opensolaris comparisons as important, BSD is compleatly another story. >> I just think it not very good way to make platform widespread and more >> used by not telling people that Opensolaris platform is insecure and >> that it will stay like that because Sun says so. >> > > Sun isn't the only one with a say in this. > Well, if someone else wnated to close down Opensolaris, that also should be said. > First, I'd like to point out that it's not at *all* clear that the > paid OpenSolaris support group is in any way affiliated with the > OpenSolaris distributions (other than both being part of Sun). It's > not at all uncommon for developers working on open software projects > to offer paid support outside the project. That was pretty much what > I think that by disabling ordinary users from updating, Sun effectively disables my ability to provide any support to any new user I know. I can only hope that 2009.06 wouldn? blow up on them untill next release. > Cygnus did (until they got bought by Red Hat). Once you have such a > group, if the OS you're supporting doesn't have a security patch > stream, that's an obvious service to offer. Nuts, even if their is > such a patch stream, vetting it and providing customer notifications > and is still a worthwhile service. > > Given that, you should be able to guess what's I'm going say next. If > you really feel that OpenSolaris needs a free security patch stream, > nothing prevents you from providing it. Get the last release sources, > build a package repository from it (IIUC, that will reveal some other > holes in the OpenSolaris distribution feature set...), and then cherry > pick the security patches from dev group to update it with. If you're > not willing to do that, then you can say that the OpenSolaris platform > is insecure and that it will stay like that because YOU say so. > > I was thinking of that. Also numerous people said that should be done. But the question is: Is the source code that security packages are made of, actually being available? Are we able to produce exactly the same packages, using the same code? Etc. Also I see the problem from the perspective of ordinary user, not a developer. As I understand packages are there but just not available.. >> Further more, People wanting to develop and release new software on >> Opensolaris platform, need stable and security-patched platform with >> predictive release cycle. >> > > False again. The lack of that hasn't stopped people from developing > and releasing new software for OS's that don't have that, and it > didn't stop them from doing so before that was a common feature in > open source OSs. > I don`t think my statement is false nor it is in collision with your statement. Not having stable platform does not disable releasing software for platform. It just make it harder and less interesting to final users.. > In fact, the common situation was even worse than that. Someone > needing a stable production environment would develop cool features > for the stable OS branch and release patches. Which wouldn't apply to > the development branch, so they wouldn't be rolled into the main > distribution, and often eventually just got lost. > Then there is something wrong with whole development process if older software could not be build on newer released system. I see your point but, as I understand, Opensolaris should go the same way as Solaris did, providing full binary support for previous releases. >> What should I port new applications to? To /dev version, sure. >> > > This conundrum exists for pretty much all the open source OS's (it > doesn't exist for the closed source ones, because in general you don't > have access to the dev version). OpenSolaris is actually *better* than > most of the alternatives, because it's development branch gets cut > into a release close to every six months. For the alternatives, the > I see Ubuntu also do that but no one is even thinking of requiring all people to pay to Canonical to keep their machines secure. > "development" branch gets further and further from the stable branch > until they do a major upgrade, which happens on a scale of > *years*. For example, the Linux kernel adopted that model with 2.0, > and the development branches (2.1, 2.3, 2.5) rolled into release with > 2.2 (early 1999), 2.4 (early 2001), and 2.6 (late 2003). > > Yes, everything you were saying is true. But I actually miss stable release. (Look at XP etc) If I want to base anything important I need to do, I need it on stable release. And i can`t because security patches simply are not there. I see you are seeing things in wider view and in larger scale etc but I just see useless stable release from the point of view of that ordinary John Doe that wanted to do something actually usefull with it. >> But what is with stable release (that people should use, anyway). >> > > Depends on their requirements. I think the OpenSolaris releases can be > made suitable secure for desktop use (i.e. - behind a NAT firewall of > some sort) if you're careful with your Internet tools. Then again, I'm > a paranoid SOB, and never trust the OS to be secure anyway. > OpenSolaris actually makes things a bit easier than most, in that it > provides the ability to put my internet tools in a Zone I can reach > into, but they can't reach out of. > I will try to tell that Zone thing to people that just want newer Firefox and not-so-unsecure ssh under period of six months. Sorry for some simplification in my answers, to me thing are more simpler than your experienced explanations requires. To me it is just ?Future is not there? sense of feeling with Opensolaris right now. >> Should I port software to stable release (even for future one) with no >> secure platform to start with? >> > > Up to you. > > <mike Ok, Thank you, mike ,for quality responce, I just hope that things are just much less complicated then you described and that some clever head will release Security repository/Publisher soon, and we might forget about this alltogether.
