I'll put my other hat on and provide a few comments.
On 09/21/2011 01:49 PM, Fraser Adams wrote: > > I'm seeking some objective guidance about the differences between > RedHat MRG and Apache Qpid Open Source. > > There has been some discussion in my organisation about whether we > should go down the MRG route and I'm interested in the perspectives of > others. > > > One of the biggest concerns that seems to be being flagged is the > potential for security vulnerabilities and the responsiveness of an > Open Source versus commercial product with respect to patching > identified vulnerabilities. I'm also interested in whether there are > any significant performance differences. > > Is there a difference between MRG and Qpid in this count? depends. MRG is built the same way we build RHEL for example. This means an upstream version is taken from Qpid and all the other source trees used, then this is tested, hardware certified etc, and any issues found are fixed and patched. Yes we push these back upstream, but we don't pull work in progress onto the stable distro. We then support this version and port any fixes from upstream for customers to the version and support it for 5-7 years. At some point we will re-base and repeat the process. So MRG you get this stable patch stream of bugs, minior RFE's security etc etc. > > My understanding was that there's a pretty tight synergy between MRG > and Qpid and that patches make it back and forth in quick succession. yes, patches are pushed back to Qpid, but they go in with any other work going on. Where Red Hat with MRG maintains a stable tree and the only patches in items based on a QA,compat,etc much like the RHEL process. > It was also my understanding that RedHat was a key sponsor and RedHat > was also part of the Open Source community - I've noticed a few RedHat > email addresses on this Mailing list. yip, I for one am one such individual :-) > > > I'd really appreciate an unbiased comparison. If going MRG means my > organisation funding the Open Source community in a round about way > perhaps I ought to be encouraging it, but conversely I don't want to > see uninformed bad mouthing of the strategy for managing > vulnerabilities in Open Source projects propagating in my > organisation. So if MRG is no more secure than Qpid I'd like to make > that clear and to have a decision on MRG versus Qpid decided on merit > rather than assumption. > I would not hang an argument of security as a difference. rather the application to version that has enterprise lifecycle managed for you, the ability to get hot fixes, support etc for MRG. Now putting my Qpid hat on, If you use qpid, that is great, we would love to have you as a Qpid user, one way or the other Carl. --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
