-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aniruddha wrote: > On Sat, 2007-11-03 at 12:23 +0100, Pascal Bleser wrote: [...] > Thanks you for all your answers > >> I don't know what world you're living in but we're not paid to do this, >> we do it during our spare time, and it's a considerable effort and >> amount of time, health, and commitment going into this from every single >> member of the team. It's totally unrealistic and just plain impossible >> for us to provide SLAs, maximum response time guarantees or whatever. >> Get real. >> >> If you want a really secure environment (_if_ you actually need that >> level of paranoia), then only use the packages that come with the >> distribution. >> >> And as the Subversion team likes to put it: "patches are welcome" > > Pascal, in the world I live people don't regards questions as personal > attacks. Nor do they feel the need to talk in a demeaning manner. How > tempting it might be I am not going to lower myself to this level of > discussion.
Huh ? Something is just seriously wrong with the tone, criticizing all the time, wrong facts and you messing up replies and arguments all the time. It's damn close to trolling. That's what is getting yourself such replies. It's that simple, really. And I don't see where I was personally attacking you. Actually you're the one who turns every reply into being a personal attack. Reference for the others on the list: http://lists.opensuse.org/opensuse-buildservice/2007-11/ and the dozen of "How secure is openSUSE build service ?" threads. > I own my own IT company, I have to know 100% certain what I offer my > costumers. Companies rely on me for a good solid advice. Operating > systems are just a tool for me, nothing more. You cannot "know 100% certain what you offer to your customers". You'd have to either write all the source code yourself, or audit all the source code yourself (and actually have such a deep understanding of environments, programming languages etc.. to actually understand exactly that every single line of C/C++/Python/Ruby/Java/C#/PHP/bash/perl source code does), or trust others. Either you trust the authors of each individual piece of software as well as the packagers, or you defer the trusting to another business that has enough time, people, money to have QA processes, QA teams, etc... (e.g. Novell (SLED/SLES), Redhat (RHEL), Canonical (Ubuntu LTS)). > Apparently openSUSE/SLED doesn't offer the solution I need. That's fine > with me. I'll just go on and advice another 'tool' that does offer the > kind of security I need. > > Gentoo for example is 100% free, it's entirely maintained by volunteers, > and has the highest security standards in the industry: > http://www.gentoo.org/doc/en/security/index.xml > http://www.gentoo.org/security/en/index.xml > http://www.gentoo.org/security/en/vulnerability-policy.xml > http://www.gentoo.org/security/en/coordinator_guide.xml Get SLES or SLED, they provide the same security levels, SLAs and whatever you need. Plus you actually get a contract and an SLA, support, hotline, guarantees. The above give you near nothing because no one is liable for it. It might be a code of conduct, a best effort, an intention (which is great if it really works), but still no guarantee at all. What will happen if the maintainer or one of the maintainers of gentoo's MPlayer ebuild is on holidays a few days ? Will he be fired ? Will someone else from the QA team pick it up, build it, test it ? And with gentoo it gives you nothing, because you still have to get your customers to rebuild the software in question on their hosts, supposedly with a long downtime. > Besides Gentoo there is Ubuntu/Debian/FreeBSD which shows that it is > possible to make a very secure distribution with only volunteers. Sure, if it makes you feel better by thinking it does. If you really want to go by a hardened and secure environment, then go for OpenBSD. But you will always get the tradeoffs, with any environment that is really secure. And it seems that you're targetting desktop systems. That sounds like a lot of fun :) Just show me where SLED/SLES/openSUSE/Packman was too slow at shipping security fixes or caused harm by not pushing out updates fast enough. Note that that's exactly the sort of argumentation I was referring to. By telling people they suck idiots because others supposedly do it better (with lots of wrong "facts" btw, such as Debian shipping patent encumbered codecs in their main repository, or MP3 just being an "ethical problem" and not a legal one, or stating that every single of the 20000+ packages in the Debian repository undergoes heavy security checks by their maintainers -- plain wrong, but you never reply to people telling you that) and "threatening" to use another distribution, what.. you don't actually expect people to give constructive replies, don't you ? ;) But if you prefer Gentoo, Debian, Ubuntu, FreeBSD or whatever, those are fine distributions as well, just go for it. Don't think that anyone cares about what distribution you and your customers will be using, that sort of "threatening" just does not work at all. What Toni and I tried to explain to you (and what you just dubbed as being a personal attack, for whatever reason) is that we cannot possibly perform security audits on every single package we build. It's not feasible for several reasons: - - we would need to be 50 people working on it at least, full time, with everyone just tracking 20 projects or so, not more - - we would probably have to restrict the number of packages that we provide (and you don't what that now, do you ?) - - we would need a lot of funding and a lot of hardware to perform security checks, shorter update delivery, automated QA, manual QA procedures We have neither of that. What we provide to the community is huge amounts of our spare time committed to give them software they can install easily on their distribution in the latest version and uncrippled, with of course a best effort in terms of new releases, bugfixes and security fixes. But we totally rely on upstream (= the software authors), as almost everyone else does. You have to trust both upstream (authors) and downstream (packagers), that's all. And it's exactly the same with Debian, Ubuntu, Gentoo, others. Because Gentoo may well have some policies and intentions, but it doesn't technically prevent them from skipping their QA or adding something harmful into the packages/ebuilds. If you have some constructive feedback, some realistic ideas on how to do it, want to contribute to the project, fine, be our guest (that was the meaning of "patches are welcome"). cheers - -- -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ /\\ <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> _\_v The more things change, the more they stay insane. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHLHasr3NMWliFcXcRAorrAKCDa92oyspbzw5lqrxB67v/ZvqbSACgvJYq HQYECcFEX/LpLubqfQ17lXE= =yW9w -----END PGP SIGNATURE----- _______________________________________________ Packman mailing list [email protected] http://212.112.227.138/cgi-bin/mailman/listinfo/packman
