Re: [CentOS] current bind version
On Wed, Feb 23, 2011 at 10:45 PM, Ross Walker rswwal...@gmail.com wrote: Let's face it most auditors these days are just accountants with Infosys Mgmt text books. Or former sysadmins who didn't make it in the management track but still wanted to be able to lord it over others... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On 02/24/2011 02:24 AM, Nico Kadel-Garcia wrote: I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind The bind97 packages is in RHEL 5.6. ... and available in c5-testing, pending centos-5.6 release; so if you want to get it now, get it eary - thats a good place to grab it from. Also, if you do use the package from c5-testing; make sure to feedback comments to the centos-devel list so they can be incorporated into the CentOS-5.6 Release Notes; - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On Wed, Feb 23, 2011 at 10:23 PM, John R Pierce pie...@hogranch.com wrote: On 02/23/11 6:08 PM, Machin, Greg wrote: Hi. I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. to put it bluntly, your security guy is pretty much worthless as such if he thinks security is audited by checking version numbers. sadly, this is too common. No, it's actually useful. Backporting is painful, expensive, and often unreliable, and leaves various any unpublished zero-day exploits in the wild. It also indicates feature incompatibility with other tools that rely on the new features. I went through this last week with OpenSSH version 5.x (not currently available for RHEL or CentOS 5 except by third party provided software), and bash. Turns out that OpenSSH 5.x doesn't read your .bashrc for non-login sessions, OpenSSH 4.x did. RHEL 6 addressed this for normal use by updating bash so it gets handled more like people expect it to behave, but I had users very upset that the new OpenSSH with the new features did not handle their reset PATH settings from their .bashrc. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On 02/24/2011 07:12 AM, Nico Kadel-Garcia wrote: On Wed, Feb 23, 2011 at 10:23 PM, John R Pierce pie...@hogranch.com wrote: On 02/23/11 6:08 PM, Machin, Greg wrote: Hi. I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. to put it bluntly, your security guy is pretty much worthless as such if he thinks security is audited by checking version numbers. sadly, this is too common. No, it's actually useful. Backporting is painful, expensive, and often unreliable, and leaves various any unpublished zero-day exploits in the wild. It also indicates feature incompatibility with other tools that rely on the new features. The above may or may not be true (I think red hat does a very good job of addressing security and stability with backporting) ... BUT ... if you do not like backports, then RHEL (and since we rebuild those sources, CentOS) is not the distribution that you want to be using. Backporting is what red hat does to fix most security issues. If you have a philosophical problem with backporting (many people do, that is their prerogative) then some other enterprise Linux version would be a much better choice. I am not saying this to be a smart a$$ or be negative ... just saying that other enterprise distributions exist that provide long term stability without backports ... Unbuntu LTS is a free example. They also provide integration of all their system libraries and audit their software for security compliance. I went through this last week with OpenSSH version 5.x (not currently available for RHEL or CentOS 5 except by third party provided software), and bash. Turns out that OpenSSH 5.x doesn't read your .bashrc for non-login sessions, OpenSSH 4.x did. RHEL 6 addressed this for normal use by updating bash so it gets handled more like people expect it to behave, but I had users very upset that the new OpenSSH with the new features did not handle their reset PATH settings from their .bashrc. I would think that using an enterprise distribution of Linux where several hundreds of developers are testing the integration would serve you better than building your own openssh, your own bind, your own everything else and trying to bolt it onto the backport model that red hat uses to keep your stuff secure. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On Thu, Feb 24, 2011 at 9:31 AM, Johnny Hughes joh...@centos.org wrote: On 02/24/2011 07:12 AM, Nico Kadel-Garcia wrote: I went through this last week with OpenSSH version 5.x (not currently available for RHEL or CentOS 5 except by third party provided software), and bash. Turns out that OpenSSH 5.x doesn't read your .bashrc for non-login sessions, OpenSSH 4.x did. RHEL 6 addressed this for normal use by updating bash so it gets handled more like people expect it to behave, but I had users very upset that the new OpenSSH with the new features did not handle their reset PATH settings from their .bashrc. I would think that using an enterprise distribution of Linux where several hundreds of developers are testing the integration would serve you better than building your own openssh, your own bind, your own everything else and trying to bolt it onto the backport model that red hat uses to keep your stuff secure. Nice try. It was a commercially provided OpenSSH distribution, sold for RHEL users, with thousands of users. (I'll send you vendor name privately, if you're curious.) I agree it gets into serious pain: this is one of the many reasons that I try to dissuade people from inserting their own components, built directly from source, not under RPM. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On Feb 24, 2011, at 9:31 AM, Johnny Hughes joh...@centos.org wrote: I am not saying this to be a smart a$$ or be negative ... just saying that other enterprise distributions exist that provide long term stability without backports ... Unbuntu LTS is a free example. They also provide integration of all their system libraries and audit their software for security compliance. I think the primary driving factor for Redhat to employ the backport method is to maintain a stable ABI across a release, and the primary reason for that is for third party application support. Redhat wants to provide a platform for which commercial vendors can develop their wares such that they can say it supports RHEL 5 or 6 and it will actually run on said platform without loss of functionality or stability. I doubt the same can be said about Ubuntu LTS or even SLES where a change in a library can result in either the third party application not working or working with limited functionality. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On 02/24/2011 05:43 PM, Ross Walker wrote: On Feb 24, 2011, at 9:31 AM, Johnny Hughes joh...@centos.org mailto:joh...@centos.org wrote: I am not saying this to be a smart a$$ or be negative ... just saying that other enterprise distributions exist that provide long term stability without backports ... Unbuntu LTS is a free example. They also provide integration of all their system libraries and audit their software for security compliance. I think the primary driving factor for Redhat to employ the backport method is to maintain a stable ABI across a release, and the primary reason for that is for third party application support. Redhat wants to provide a platform for which commercial vendors can develop their wares such that they can say it supports RHEL 5 or 6 and it will actually run on said platform without loss of functionality or stability. I doubt the same can be said about Ubuntu LTS or even SLES where a change in a library can result in either the third party application not working or working with limited functionality. That is absolutely true and I agree with you 100% ... I like the constant ABI across the release and the backport model, otherwise I would be building something else. But I also know that there are people who think backporting is the Devil. I was only trying to provide sane advise for those people ... I think it is much safer (and more stable) to use unbuntu than to try and build your own latest bind and your own latest ssh and your own latest apache and your own latest php and other stuff and then bolt that into CentOS. If you start breaking the constant ABI and introducing lots of new shared libs, etc, then you are totally negating the only 2 things (ABI and stability) that makes CentOS an enterprise OS. You are even likely better off using Fedora than trying to replace massive parts of CentOS with newer stuff. Now ... I have done some custom things myself (like roll in Samba 3.4.x for Windows 7 PDC support into c4 and c5 and CentOS 5 LDAP in CentOS 4 so I could add new C5 machines as Domain controllers in new offices with some older C4 machines as domain controllers in the old offices without having to replace the older OSes). So, with limited changes, it is possible. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On 2/24/11 7:37 PM, Johnny Hughes wrote: On 02/24/2011 05:43 PM, Ross Walker wrote: On Feb 24, 2011, at 9:31 AM, Johnny Hughesjoh...@centos.org mailto:joh...@centos.org wrote: I am not saying this to be a smart a$$ or be negative ... just saying that other enterprise distributions exist that provide long term stability without backports ... Unbuntu LTS is a free example. They also provide integration of all their system libraries and audit their software for security compliance. I think the primary driving factor for Redhat to employ the backport method is to maintain a stable ABI across a release, and the primary reason for that is for third party application support. Redhat wants to provide a platform for which commercial vendors can develop their wares such that they can say it supports RHEL 5 or 6 and it will actually run on said platform without loss of functionality or stability. I doubt the same can be said about Ubuntu LTS or even SLES where a change in a library can result in either the third party application not working or working with limited functionality. That is absolutely true and I agree with you 100% ... I like the constant ABI across the release and the backport model, otherwise I would be building something else. Can someone remind me why VMware server 2.x broke with a RHEL/CentOS 5.x glibc update? I switched back to 1.x which I like better anyway, but if the reason for putting up with oldness is to keep that from happening, it didn't work. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On Feb 24, 2011, at 8:37 PM, Johnny Hughes joh...@centos.org wrote: On 02/24/2011 05:43 PM, Ross Walker wrote: On Feb 24, 2011, at 9:31 AM, Johnny Hughes joh...@centos.org mailto:joh...@centos.org wrote: I am not saying this to be a smart a$$ or be negative ... just saying that other enterprise distributions exist that provide long term stability without backports ... Unbuntu LTS is a free example. They also provide integration of all their system libraries and audit their software for security compliance. I think the primary driving factor for Redhat to employ the backport method is to maintain a stable ABI across a release, and the primary reason for that is for third party application support. Redhat wants to provide a platform for which commercial vendors can develop their wares such that they can say it supports RHEL 5 or 6 and it will actually run on said platform without loss of functionality or stability. I doubt the same can be said about Ubuntu LTS or even SLES where a change in a library can result in either the third party application not working or working with limited functionality. That is absolutely true and I agree with you 100% ... I like the constant ABI across the release and the backport model, otherwise I would be building something else. But I also know that there are people who think backporting is the Devil. I was only trying to provide sane advise for those people ... I think it is much safer (and more stable) to use unbuntu than to try and build your own latest bind and your own latest ssh and your own latest apache and your own latest php and other stuff and then bolt that into CentOS. If you start breaking the constant ABI and introducing lots of new shared libs, etc, then you are totally negating the only 2 things (ABI and stability) that makes CentOS an enterprise OS. You are even likely better off using Fedora than trying to replace massive parts of CentOS with newer stuff. Now ... I have done some custom things myself (like roll in Samba 3.4.x for Windows 7 PDC support into c4 and c5 and CentOS 5 LDAP in CentOS 4 so I could add new C5 machines as Domain controllers in new offices with some older C4 machines as domain controllers in the old offices without having to replace the older OSes). So, with limited changes, it is possible. I was pretty sure you understood, it was more for the audience. Also to add, there is nothing wrong with adding custom builds of software, just make sure it goes in '/usr/local' for 'make install' builds and their updated libraries if they need updated libraries. If one is doing custom RPM builds it is still better to locate in '/usr/local' if possible, otherwise make damn sure it doesn't conflict with the base CentOS RPMs or one may find his/her self in dependency hell. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On Wed, Feb 23, 2011 at 9:08 PM, Machin, Greg greg.mac...@openpolytechnic.ac.nz wrote: Hi. I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. The bind97 packages is in RHEL 5.6. RedHat pubishes such major component upgrades as separate packages, so people using the older version get updates, but who want the major upgrades are free to install them and get separate support. Our faithful CentOS maintainers have not yet completed their publication of CentOS 5.6. I'm sure they'd appreciate your help doing so, although I've had some difficulty reverse engineering enough of their build structure to parallel their work. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On Thu, 2011-02-24 at 15:08 +1300, Machin, Greg wrote: I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. It is my understanding the security issue neither affects the Red Hat version of Bind nor the Centos derivative for operating system releases 4 and 5. This subject was mentioned here with some passion in the last 48 hours but I don't keep copies. Please suggest to your guy he needs to do some Googling to find recent emails from this mailing list and other sources which may provide further information. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On 02/24/2011 01:08 PM, Machin, Greg wrote: Hi. I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind bind-chroot-9.3.6-4.P1.el5_5.3 when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. Hi Greg Probably an idea to point your NS guys at the RH 'backporting' Page - https://access.redhat.com/security/updates/backporting/?sc_cid=3093 Basically, the version is kept the same to minimise impact on users, whilst bugfixes and security errata from future versions are 'backported' to the version that ships with the relevant RHEL version. Also worthwhile pointing them at the BIND CVE in the Redhat Bugzilla, which advises on the impact on the RHEL versions - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0414 Regards Steve ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On Feb 23, 2011, at 9:08 PM, Machin, Greg greg.mac...@openpolytechnic.ac.nz wrote: Hi. I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. Please check out: https://access.redhat.com/security/updates/backporting/?sc_cid=3093 RHEL maintains application binary interfaces during the lifetime of their releases. Only for applications that can no longer be feasibly maintained through backporting (ie firefox) do they update the version mid release. A lot of people don't understand the backporting way of maintaining a stable platform across a release, it took me a while to appreciate it. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
Thank you all for helping to clarify this. Thanks Greg Machin Systems Administrator - Linux Infrastructure Group, Information Services From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Ross Walker Sent: Thursday, 24 February 2011 3:51 p.m. To: CentOS mailing list Cc: centos@centos.org Subject: Re: [CentOS] current bind version On Feb 23, 2011, at 9:08 PM, Machin, Greg greg.mac...@openpolytechnic.ac.nz wrote: Hi. I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. Please check out: https://access.redhat.com/security/updates/backporting/?sc_cid=3093 RHEL maintains application binary interfaces during the lifetime of their releases. Only for applications that can no longer be feasibly maintained through backporting (ie firefox) do they update the version mid release. A lot of people don't understand the backporting way of maintaining a stable platform across a release, it took me a while to appreciate it. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On 02/23/11 6:08 PM, Machin, Greg wrote: Hi. I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. to put it bluntly, your security guy is pretty much worthless as such if he thinks security is audited by checking version numbers. sadly, this is too common. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] current bind version
On Feb 23, 2011, at 10:23 PM, John R Pierce pie...@hogranch.com wrote: On 02/23/11 6:08 PM, Machin, Greg wrote: Hi. I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. to put it bluntly, your security guy is pretty much worthless as such if he thinks security is audited by checking version numbers. sadly, this is too common. Let's face it most auditors these days are just accountants with Infosys Mgmt text books. The ridiculously high levels of regulations has created a demand for auditors that can no longer be filled by competent IT skilled auditors. Oh well these are the days. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos