[taken off-list]
On Fri, 27 Nov 2009 16:56:23 +0100
"Nikola M." <minikola at gmail.com> wrote:
> Mike Meyer wrote:
> > On Thu, 26 Nov 2009 12:45:15 +0100
> > "Nikola M." <minikola at gmail.com> wrote:
> >> Requirement of payment for security updates for free software should be
> >> told to people ,
> >> so they know what to expect in production.
> > You found out about it, so clearly people are being told. If some OS
> > feature is crucial to either production use of that OS or exiting from
> > such, then it behooves the person evaluating the OS for production use
> > to check on those features, and then fail that OS if they are missing.
> First of all,thank you Mike, on very quality response. I hope
> I will keep with your explanations and also thank you for
> actually non-confronting and clever writing.(Also note English is not my
> primary language)
Thank you.
> Let me be clear with my position on Opensolaris.
> I am supporter of it and I very much advocate its use.
> I am spending my time and giving it to people, hoping to have
> more development-competent people to join and contribute.
> With wide spreading it and giving education to people,
> I hope I make it better positioned in bussines world, to make it less
> overwhelmed
> with close-minded Winblows administrators and ?solution? producers.
Maybe you've chosen the wrong OS for that purpose, then? As you've
noted, they don't have free security updates. Last time I checked,
rebuilding OpenSolaris from source was a major undertaking, which is
major disincentive for the more development-competent people. Of
course, if you're looking for ways to contribute, you've already
identified another one!
For instance, if the goal is production business use, the commercial
support options are the important ones, but you might want to be
recommending Solaris 10 instead of OpenSolaris.
> I realized that I will not get security patches only after several
> months of use.
> Now I truly do not know what to do. (Not for me, I am on /dev, but for
> other people)
> I was telling people all around that they will get updates after
> registration.
> (And that is what is printed on &*^@ CD)
I've never seen the CD - does it say how often the updates will
happen.
> I truely do not know how to advocate Opensolaris now.
> New user will install release version. (New users coming from Windows or
> GNU/Linux)
> And I need to say to them that: "Btw, there you are, now download new
> 600 MB or so
> and use /dev release"...and contribute however you can..
> ?Also, Btw.. your contribution will be used to sell support and you will
> Never get Stable Opensolaris, you can actually use. Only dev..?
> (Opensolaris <> Closed Solaris)
The first part of this - that your contributions are used to sell
support - is true for pretty much every open source OS around. If they
have any commercial aspirations at all, someone sells support for
them, and all the features in the os - no matter who contributed them
- help do that.
> >> I can not in clear conscience give people free Cd`s and tell them that
> >> Opensolaris is for free and after that they realize they use insecure
> >> software, they must pay for security?
> > This implies that there's actually such a thing as "secure" software
> > to begin with. The best you can hope for is software with no known
> > security problems.
> Closest to it are security patches for stable release. Eather way, that
> is only sane way to provide any kind of support. Even community one.
Yup. And OpenSolaris has that. Your issue is that the only people
who've stepped up to provide it want to make money doing so.
> - "Please state the nature of release you use" (to paraphrase the Doctor
> from Star trek Voyager) ;)
> >> Updates are there and availble, BUT users are disabled of accessing it..
> >> All operating systems in the world have free security patches BUT
> >> Opensolaris release versions.
> > False. Neither DragonFly BSD nor Gentoo Linux provide either
> > security-only or security+bugfix patch streams. I'm sure there are
> > others out there as well, but I don't really have time (or hardware!)
> > to investigate "All operating systems in the world".
> Any normal, production-worth OS, that you can rely on, put your business
> on it
> and pay for support with confidence in it.
Well, I'm sure you can get a bug-fix stream for either of those two
OS's if you're willing to pay for support; I didn't check all the
options. Probably cheaper than for OpenSolaris, because they're
engineered to be easy to rebuild from source. They're both certainly
in better shape than anything available in 1998 or so when the first
internet boom happened on top of free operating system distributions
and software.
> That is what is ment under every OS. And almost all OS`es available
> today do that.
I suspect most don't, unless you limit it to those that have serious
commercial goals. Many of them are from very small operations that
just don't have the resources to maintain another codeline.
> > People coming from Linux seem to expect that OpenSolaris will have all
> > the features that their favorite Linux distro has. This is obviously
> No I expect that after some years not only have same futures, but
> better futures and more advanced, also.
> Aspiring to anything less in not worthwile ;)
> > surprisingly, there are *major* holes in the OpenSolaris distributions
> > when compared to those more mature distributions. In particular, you
> > might investigate how many of those distributions had some flavor of
> > security patch stream when they were only 5 years old. At the time, I
> > was using the most popular BSD distribution, and they were in even
> > worse shape than OpenSolaris is now.
> Nice for you. But I don`t think Linus or Stallman required payements for
> security in the system.
Actually, Stallman actively *discouraged* security in a system; he
considered it had no use except to make things harder for users, and
he's all about user freedom. On the other hand, it's been 15 years
since I talked to him about such, and the world has changed - so maybe
he's changed his tune somewhat since then.
And back then, he was recommending you get the GNU software from the
FSF, for $185 a copy (that was "shipping and handling" fees for a
tape).
> If they did such thing in 1996 , I don`t think we will be like where we
> are today.
They did.
> Also, consider GNU/Linuxis vx Opensolaris comparisons as important, BSD
> is compleatly another story.
But it's an important one. BSD is a popular OS on servers - even
places that run GNU/Linux on their desktop have BSD servers. More
importantly, the licensing issues that make integrating Solaris
technology into Linux don't exist for BSD, so the latest stable
version of FreeBSD shipped with DTrace and ZFS (and possibly other
goodies as well).
If you want OpenSolaris technologies in a distribution with lots of
options for updating, FreeBSD has to be given serious consideration.
> >> I just think it not very good way to make platform widespread and more
> >> used by not telling people that Opensolaris platform is insecure and
> >> that it will stay like that because Sun says so.
> > Sun isn't the only one with a say in this.
> Well, if someone else wnated to close down Opensolaris, that also should
> be said.
I'm not sure that can be done. IIRC, the CDDL is OSS-approved, which
means they can't "unrelease" the sources. Sun owns the trademarks on
the name, so they can prevent people from creating a distribution
called "OpenSolaris". However, they can't prevent someone else from
taking the available sources and creating as distribution called
"OpenSirius" or whatever.
> > First, I'd like to point out that it's not at *all* clear that the
> > paid OpenSolaris support group is in any way affiliated with the
> > OpenSolaris distributions (other than both being part of Sun). It's
> > not at all uncommon for developers working on open software projects
> > to offer paid support outside the project. That was pretty much what
> I think that by disabling ordinary users from updating, Sun effectively
> disables my ability to provide any support to any new user I know.
> I can only hope that 2009.06 wouldn? blow up on them untill next release.
You're overstating the case. Ordinary users can update. They just
can't update to anything short of the development codeline. That's a
lot less dangerous than updating to the development codeline of the
Linux kernel or a BSD distribution, because those have distinct
development codelines that users are discouraged from using. Updating
to Sun's development codeline is more like updating to something like
-STABLE on FreeBSD - only safer.
> > Cygnus did (until they got bought by Red Hat). Once you have such a
> > group, if the OS you're supporting doesn't have a security patch
> > stream, that's an obvious service to offer. Nuts, even if their is
> > such a patch stream, vetting it and providing customer notifications
> > and is still a worthwhile service.
> > Given that, you should be able to guess what's I'm going say next. If
> > you really feel that OpenSolaris needs a free security patch stream,
> > nothing prevents you from providing it. Get the last release sources,
> > build a package repository from it (IIUC, that will reveal some other
> > holes in the OpenSolaris distribution feature set...), and then cherry
> > pick the security patches from dev group to update it with. If you're
> > not willing to do that, then you can say that the OpenSolaris platform
> > is insecure and that it will stay like that because YOU say so.
> I was thinking of that. Also numerous people said that should be done.
> But the question is: Is the source code that security packages are made of,
> actually being available?
> Are we able to produce exactly the same packages, using the same code? Etc.
Why do you care? Do you need to produce exactly the same packages, or
do you just need a set of packages that will fix the security
problems, even if they aren't exactly the same? The real question is,
is the source code with security fixes going into the dev source repo?
That's where you're going to get them from. The answer pretty much has
to be yes, otherwise those fixes don't wind up in the next
release.
> Also I see the problem from the perspective of ordinary user, not a
> developer.
> As I understand packages are there but just not available..
The packages are available from the *commercial support group*. Your
problem is you don't think you should have to pay for them. I also
suspect that you're assuming they're developed by the same people who
are doing OpenSolaris development. I'd be surprised if that's the
case. For instance, if a security problem showed up in FireFox, the
OpenSolaris Development group would commit a fix for 3.5, because
that's what's in the current dev system. But the commercial support
group is liable to commit a fix for 3.1, because that's what's in
2009.06.
> >> Further more, People wanting to develop and release new software on
> >> Opensolaris platform, need stable and security-patched platform with
> >> predictive release cycle.
> > False again. The lack of that hasn't stopped people from developing
> > and releasing new software for OS's that don't have that, and it
> > didn't stop them from doing so before that was a common feature in
> > open source OSs.
> I don`t think my statement is false nor it is in collision with your
> statement.
> Not having stable platform does not disable releasing software for platform.
In that case, people releasing software don't need a stable and
security-patched platform.
> It just make it harder and less interesting to final users..
The final users might, of course.
> > In fact, the common situation was even worse than that. Someone
> > needing a stable production environment would develop cool features
> > for the stable OS branch and release patches. Which wouldn't apply to
> > the development branch, so they wouldn't be rolled into the main
> > distribution, and often eventually just got lost.
> Then there is something wrong with whole development process
> if older software could not be build on newer released system.
> I see your point but, as I understand, Opensolaris should go the same
> way as Solaris did,
> providing full binary support for previous releases.
I agree with you that that development process is busted, but it's
also the one followed by the Linux kernel, and a host of other tools
in the GNU/Linux world, as well as at least FreeBSD in the BSD
world. The OpenSolaris process seems to be a lot better, but I haven't
been following it long enough to decide for sure.
> >> What should I port new applications to? To /dev version, sure.
> > This conundrum exists for pretty much all the open source OS's (it
> > doesn't exist for the closed source ones, because in general you don't
> > have access to the dev version). OpenSolaris is actually *better* than
> > most of the alternatives, because it's development branch gets cut
> > into a release close to every six months. For the alternatives, the
> I see Ubuntu also do that but no one is even thinking of requiring
> all people to pay to Canonical to keep their machines secure.
That's because someone in the Ubuntu community took on the role of
"security officer" and is maintaining that codeline. It's not at all
clear that that has happened in the OpenSolaris community yet. Someone
inside of Sun is doing so, but they're clearly part of Sun's
commercial OS support group, and may or may not be on the team doing
OpenSolaris development.
> > "development" branch gets further and further from the stable branch
> > until they do a major upgrade, which happens on a scale of
> > *years*. For example, the Linux kernel adopted that model with 2.0,
> > and the development branches (2.1, 2.3, 2.5) rolled into release with
> > 2.2 (early 1999), 2.4 (early 2001), and 2.6 (late 2003).
> Yes, everything you were saying is true.
> But I actually miss stable release. (Look at XP etc)
I'd say XP - being the better part of a decade old and two major
releases behind current - is *far* less relevant than BSD. But it
didn't have "stable releases". It did have security patches, but the
"service packs" were a disaster.
> If I want to base anything important I need to do, I need it on stable
> release.
That's called "Solaris". "OpenSolaris" is a development effort; it's
not a stable release.
> And i can`t because security patches simply are not there.
Sure they are. You just have to pay for them. If it's not worth paying
for, how important can it be?
> I see you are seeing things in wider view and in larger scale etc
> but I just see useless stable release from the point of view of that
> ordinary
> John Doe that wanted to do something actually usefull with it.
I'm doing useful things with it. I'm just not doing them in places
where people I don't trust can get to it.
> >> But what is with stable release (that people should use, anyway).
> > Depends on their requirements. I think the OpenSolaris releases can be
> > made suitable secure for desktop use (i.e. - behind a NAT firewall of
> > some sort) if you're careful with your Internet tools. Then again, I'm
> > a paranoid SOB, and never trust the OS to be secure anyway.
> > OpenSolaris actually makes things a bit easier than most, in that it
> > provides the ability to put my internet tools in a Zone I can reach
> > into, but they can't reach out of.
> I will try to tell that Zone thing to people that just want newer Firefox
> and not-so-unsecure ssh under period of six months.
I don't think Zones will help with that. Firefox is basically a
security nightmare, as it *by design* runs code from remote sources
without verification by you. Zones help if you install FireFox in a
zone and keep it there, by limiting the damage said code can do. The
only real security measure is to disable all the scripting languages,
which is incredibly inconvenient. Without Zones, I recommend
installing the NoScript extension, which gives you a nice interface to
per-domain control over all the scripting languages.
A major firefox upgrade - from 3.1 to 3.5, which is what people seem
to want from OpenSolaris - wouldn't be part of a security patch. An
update from 3.1.0.2 to 3.1.0.10 might be.
As far as I know, there are no security issues in ssh in 2009.06. The
openssh library, on the other hand, suffers from the renegotiations
vulnerability, but that only happens on web servers providing https
with the renegotiations enabled (Apache has that off by default), and
if you're running that you should probably be using Solaris instead of
OpenSolaris. Besides which, last time I looked there wasn't a patch
for this problem.
> Sorry for some simplification in my answers, to me thing are more
> simpler than
> your experienced explanations requires.
I hate to say it, but it sounds like you really just want to feel
safe in a stable environment.
> To me it is just ?Future is not there? sense of feeling with Opensolaris
> right now.
Oh, I definitely get that as well. It's not there. On the other hand,
it hasn't really been around long enough to decide how well what *is*
there works. Tracking dev releases is a lot safer than tracking
"stable" development branches in other OSs; maybe it's safe enough
that there's no need for security patches for most users. Only time
will tell.
> Ok, Thank you, mike ,for quality responce, I just hope that things are just
> much less complicated then you described and that
> some clever head will release Security repository/Publisher soon,
> and we might forget about this alltogether.
Well, if it's going to get done, somebody who needs it should do
it. Open source systems are largely driven by what developers (or
someone willing to pay them) need. Sun needs an operating system
suitable for commercial use they can make money supporting and selling
bundled with their hardware. So while they're providing developers to
do - and give away - a lot of work, I wouldn't expect them to provide
developers that would do things that cut into their support revenue.
<mike
--
Mike Meyer <mwm at mired.org> http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
