• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Security Policy and updates of linux distributions

S

sciencewhiz

Diamond Member
Now that Redhat has EOL'd Redhat 9, and Fedora has taken over, what is the security policy of the big distributions.

Fedora: No updates beyond the current version
Debian: Updates for a year after the release of the next stable version (In other words, updates for a very long time).
Suse: Seems to release updates for 2 years or so.
Mandrake: 12 months for "desktop" packages, 18 months for "server" type packages
Gentoo: ???
Knoppix: ??? (Do they have a security policy except that they release new versions often?)
Slackware: ???
 
I can't find an official policy for Suse, but I see updates for 7.2 released recently. So they must do updates for at least 2 years.

Sure would be nice if somebody kept track of this. e-mailing the guy at distrowatch.

Anyone know the policies of the others?
 
Whiz, security policy (ies) for what purpose? What do you mean by security policy? Bugfixes? Patches?
For what purpose do you intend to use your linux box? How would you relate security to , say, a desktop that has no servers running, vs a linux server (or firewall)?

 
The most important is how long do they patch for known security holes.

Do they have a security team that actively searches for holes, or do they just respond to Cert, etc. Do they have a security team at all, or do they rely on individual package maintainers? How are patches distributed?

What I'm looking for is a desktop distribution that is easy to update and has updates availible for a long time. Redhat met that criteria, but that's not an option any more.
 
For a personal desktop Debian is what I would recommend, if you can make it past the setup and configuration you're good for eternity.

For a professional workstation I would probably go with RedHat's Enterprise Workstation or whatever they call it, if you really need commercial support.
 
I run debian on my laptop, and if I was setting up one or two computers, that is what I would do. However, I'm setting up 25, all with disimilar hardware. Thus, I need some type of hardware detection to keep my sanity.

Money isn't there for 25 copies of Redhat's Workstation, although that's what I'd really like to do.
 
The good thing about Linux over Windows in this regard is that the majority of the Distros can be updated on a weekly or monthly basis easily.


For instance I had Redhat 8.0 installed on my parents spare machine. With that I use apt-get for rpm for the package managment system instead of the Redhat's normal up2date facilities. I just kept that updated with the newest stable packages aviable from a variaty of rpm repositories on the net.

With apt-get for rpm you do a "apt-get update" to fetch the current information on the packages and then a "apt-get upgrade" to install the newest versions of the various programs that make up the operating system. Then eventually I used the same thing to upgrade that Redhat install to Redhat 9.0.

The network people at work have much more experiance with Redhat then I do and I talked to one of them about it and they use Yum to keep it updated. It performs a similar function and he has it set up to update automaticly on a weekly basis, so he doesn't even have to mess with it and the OS itself keeps up to date.

It's getting to the point were OS numbered versions are getting kinda obsolete. Since EVERY aspect of the OS is completely modular from the kernel up you can continiously replace it a peice at a time.

Over a year or 2 you can completely replace every single program you've installed with updates and since you do it a little bit at a time the problems and incompatabilities that unfortunately crop up time to time are usually trivial, and can be resolved quickly.

Debian and Gentoo are the most extreme examples of it, with Debian having a superior implimentation.

Debian has the full-fledged apt-get and were the people that originally developed it.

Debian has 2 branches: Stable and Unstable, and a third one called Testing.

Most users end up using unstable for a home computer because it's has the newest stuff aviable and the continously rapidly changing system creates problems that a home-user is usually comfortable with. Although it is "unstable" in that occasionally a bad package makes it thru the community and causes headaches.

For situations and people who don't like to deal with this is why they have the Stable branch. These are programs that remain mostly frozen. Bug fixes and security updates are still accepted into it, so that you don't have to worry about falling behind in that department. A weelky, monthly, bi-daily, or whatever updating can be set up to automaticly pull down bug fixes and security patches while you sleep so that you don't have to deal with that sort of stuff.

Then after "unstable" branch has stablised and enough "good" packages make it thru "testing" branch successfully then they offer a huge update for stable. You then have a long while were they still support the old stable version and give people a chance to gracefully update to the new OS.

"Woody" is the name of the current stable branch, "Sarge" is the current testing one and will become the name of the stable branch eventually. "Sid" is the unstable and will always be unstable. They are named after Toy Story characters.

So you see the EOL of products between Windows and Linux can't be compared directly since in Linux there is realy no good reason to let a OS grow more then a year or 2 out of date. A upgrade (as long as you have a good internet connection) is simple and can be continous, compared to Windows were a upgrade, say from win98 to win2000 can be a fairly expensive and tramatic undertaking.

I don't think that it's so much more wonderfull then windows or anything, but it's just different way of approching the same problem that all software/computer users must face enventually.

I figure that's one of the main reasons that Redhat is moving away from numbering versions like Rehdat 8.0 to Redhat 7.0 to Redhat 9.0 and such and going to a classification system of Enterprise "WS", "ES", and "AS". You pay a yearly fee for support, you get phone call, internet support for a year and then you get the quarterly updates. The pricing structure I don't if it is too hot(it does come with a bunch of commercial software that would otherwise have to be purchased seperately, though), but at least it's a step in the right direction and capitolises on Linux's strength.
 
Originally posted by: sciencewhiz
I run debian on my laptop, and if I was setting up one or two computers, that is what I would do. However, I'm setting up 25, all with disimilar hardware. Thus, I need some type of hardware detection to keep my sanity.

Money isn't there for 25 copies of Redhat's Workstation, although that's what I'd really like to do.
Click to expand...



That's a problem I've been messing around with lately and is something that Gentoo does fairly well. Download the Gentoo live eval/install CD and see how they do it.

Basicly if you want to use the newest kernel, here is what you generally do, although I haven't figured it out completely. Otherwise use one of the kernel stuff aviable from debian. Check out this to use debian's stuff to compile and make custom kernel packages

You need to create a kernel that is extremely module. Make everything modules.(As long as everything is x86 hardware). Compile the kernel and make the modules and install it and test it on one machine.

Then you may need to look into is a initrd image. This image is simple root filing system that is mounted into ram at boot up time and loads any nessicary modules to access they filing system, network drivers for instance if you run a remote NFS-root on a central server, or SCSI modules to access the harddrive. Then once you get the modules loaded and whatever else is need to get done then it automaticly goes and umounts itself and goes on with the normal boot up procedure. Check out initrd-tools in your dselect.

Other things to look into is the hotplug support in the kernel and scripts so that it detects things like USB devices that get plugged in and cardbus stuff for laptops and automaticly configure network interfaces.

Also check out Kudzu, which is Redhat's hardware probing tool that is used at startup to detect and configure new hardware.

I suppose there is quite a few other stuff you can use to detect hardware and aid in configuring stuff quickly for everything, but hopefully that will help you get headed in the right direction.

Also for keeping the Debian stuff up to date, it may be a good idea to keep a local apt-get repository/mirror on a lan-only ftp server that contains the packages that you use. That way you only have one computer downloading the packages and stuff and all the rest of your computers can install off of those over the LAN instead of having to go over the internet. I'd set up something like a cron job (or just do it manually on a weekly basis till you make good bash/perl/python scripts to automate it) to check internet servers for updates, and then pull down the updates to be used for the rest of your computers.


edit: After getting everything set up and developing scripts to help automating downloading updates and stuff, you could set up a e-mail notification system to tell you what happens and any errors that may occure. Then you can spend your time improving the system/network and working on the performance, security and stability of your machines.
 
Originally posted by: NuclearFusi0n
"Debian and Gentoo are the most extreme examples of it, with Debian having a superior implimentation."

Why do you say that?
Click to expand...


Well Debian(while using unstable) and Gentoo are extreme because they don't use any versioning numbering system what-so-ever. There is no real Gentoo 9.2 or Debian 8.0 or anything like that. It's a continous update.

I know that Gentoo has 1.4 and 1.3 and stuff, but that has more to do with major revisions to the portage system then anything else, other then that you only have 1 revision of Gentoo and Debian unstable and that is "current", much different then Redhat 7.2, 8.0/Mandrake 6.0, 8.0, 9.2/Windows 95, 98, ME, 2000 style of doing things.

Apt-get/dpkg and the various supporting applications is just better designed, more stable and a more "total" solution to package managment then portage. This has mostly to do with the fact that apt-get has been around a LOT longer then portage and is a much more mature system.

I am not trying to burn on portage or anything. I like it, too, and use it.

For instance I would be willing to put Debian stable and maybe even unstable, depending on the circumstances, in a full-fledged business/school production enviroment if I had the chance. However, I wouldn't be willing to depend on Gentoo/portage for my livelyhood just yet.

 
sciencewhiz:

(I was just thinking about this, I don't know if you thought about this before or not...)

Also if your going to be dealing with 25 computers, it maybe good idea about doing stuff like setting up a Linux Domain using a LDAP server(ala OpenLDAP, Novell NDS, MS Active Directory, etc etc). (also check out that guy's other docs, he has more detailed and more up to date ones)

And then on top of that set up NFS-networked home directories from a server so that when people go from one computer to another there home directories will remain the same and have all the same settings for their GUI enviroment. Or something like that.
 
The new sarge install does hardware detection, it's still a beta but I used it on 2 different machines without any real problems.

Well Debian(while using unstable) and Gentoo are extreme because they don't use any versioning numbering system what-so-ever. There is no real Gentoo 9.2 or Debian 8.0 or anything like that. It's a continous update.
Click to expand...

Not true. Debian has release versions, the thing is if you need up to date software you have to track unstable or testing.
 
Well, I started this thread because I wanted to know what distros actively gave security updates for their desktop distributions. I did that more out of curiousity, since I've pretty much decided to go with SUSE.

These computers won't all be in one place, so I can't use a centralized directory or nfs mount the home directories. I don't want something that is continually updated, I want something that is stable and is only updated for security.

They need to be installed between Thursday night and Sunday night. I've been working on this project for the past month. Redhat 9 did everything that I needed. I've already done 10 or so installs while I refined my kickstart (automated install) setup. Then, I got the word from above that we couldn't use Redhat 9 because it was being EOL'd to quickly.

I'll definetly give debian's sarge installer a try. Nothinman, did you use beta-1 or one of the dailys? How recently?

A upgrade (as long as you have a good internet connection) is simple and can be continous
Click to expand...
90% of these will have a modem as the only internet connection.
 
I'll definetly give debian's sarge installer a try. Nothinman, did you use beta-1 or one of the dailys? How recently?
Click to expand...

I'm 99% sure I did both. I tried beta1 when it was announced and I did another last night but I'm not sure if it was a nightly or not, sorry.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top