Home > Privacy, Security > New Linux Support Policies are OminousNew Linux Support Policies are Ominous Eugenia Loli 2003-02-15 Privacy, Security 35 CommentsRed Hat and Mandrake are cutting support for older versions of their Linux distributions… The results will be a security nightmare for the Internet, says Jon Lasser.About The Author Eugenia LoliEx-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.Follow me on Twitter @EugeniaLoli 35 Comments 2003-02-15 6:15 am 12-18 months is not a long time. And MS has been supporting Windows NT 4.0 for how long, at least 5 years?As for the Linux distros, it might help if they wouldn’t release a new f**king version every 3 weeks And what’s the point of must upgrades anyway? New Kernel? New Apache? New KDE (for desktops)? Seems that if the packages were a little easier to upgrade, all this distro updating wouldn’t be necessary. 2003-02-15 7:44 am I don’t see a problem with this for a couple of reasons.First off, I don’t use RedHat, but I imagine most RedHat users are like me. They want the latest version for their desktop and are not interested in running old versions.Secondly, Once you have a server running, you really don’t have to patch it all that often. Just patch it manually when there is a security advisory for a service or program that you are running. Anyone running a server should know how to do this. 2003-02-15 7:50 am I’m not familiar with Mandrake’s new EOL cycle, But I know with Red Hat, the new EOL cycle pertains to Red Hat Linux, Not Red Hat Advanced Server. I’m going to have to agree with red hat on this one. They view their personal users as being the type of people that upgrade often. Most of their users will upgrade from their current versions into Red Hat 8.1 when it is released as stable. And those that dont will most likely upgrade to red hat 8.2 when that time comes. The only people this is likely to inconvenience is those running Red Hat Linux on servers, and Red Hat is in the game to make money. By shortening the EOL red hat is attempting to push servers running RHLinux to RH advanced Server, which has a slower release cycle, and thus a longer EOL cycle. After clearing a few hiccups most will find themselves falling into the OS that best serves their needs, servers will move to RHAS for the most part, and personal users shouldnt find themselves horribly incovenienced for the most part by upgrading within a span of once a year. 2003-02-15 7:56 am “Seems that if the packages were a little easier to upgrade, all this distro updating wouldn’t be necessary.”Exactly.Just throw away Mandrake and Redhat away and use Debian. Apt-get update && apt-get dist-upgrade will solve your problems. 2003-02-15 8:00 am By the way does anyone have urmpi running well? How does it compare to apt-get? You might not even have to switch distros if you can get urmpi working correctly. 2003-02-15 8:31 am This is crazy. I don’t understand the big deal. An admin that has any brains will keep their systems up to date. It’s not like they can’t read advisories after their support contract is up.And if they don’t have any brains they could just purchase RHAS or SES and all the support and updates that come along with it.Honeslty people. Linux is free already, do some work to keep your machines up to date.. Do you expect Linus to pop-up like ‘clippy’ whenever you need to update your kernel….hehe.. A Linux ‘clippy’ would rule… 2003-02-15 8:33 am I meant LINUS ‘clippy’.. and maybe an EMS one that pokes you in the eyes when you Linux instead of GNU/Linux.. 2003-02-15 8:52 am Red Hat or Mandrake position are clear, and to my taste : safe and very understandable. I really appreciate to know exactly when a product will not be supported any more. For 0$ priced products, i can’t imagine any complain on this topic. Today my prefered system is still W2K, but for a very expensive product, i just can imagine the “cut off day” ( Microsoft always supports it’s system for 5 years at least, but there is no promise ).Another good new is for LFS, Gentoo or tar.gz based distro. This validates their choice.The apt-rpm repository, ‘current’ project and Krud distro are very good news too. A vendor independant ( maybe some worries on a security signature for package ) package/software maintainer is undoubtly a great and usefull project.A little comment for Iconoclast ( a master in English grammar ;-))) )First off, I don’t use RedHat, but I imagine most RedHat users are like me. They want the latest version for their desktop and are not interested in running old versions.You’re certainly right for desktop, but Linux offers ( for free, you can do that with other system, but for a very hard price ) the capability to run at the same time desktop _and_ server software. Of course this is intended only to test the server side, but this is really usefull. And so, here you tend to prefer last release for desktop, and something more stable(*) for server side, or sometimes try a very new release, but then absolutly need a very good way to came back to the stable release. (*) By stable i mean anything related to security when you have to connect this kind of configuration to internet. To be clear, i have tried rh8, appreciate it a lot for desktop, and very quickly switch back to rh7.3 for the development part (java). 2003-02-15 9:29 am They prolly do it because Linux development is going REALLY fast and is always in movement. So it’s hard to give support too imho. The changes between Win9x/98/me and nt/2k/xp do not differ that much. So it’s easier to keep long EOL. Plus Microsoft has more resource to have a longer support (money/people).I personally use redhat (and yes at work we use Advanced Server ) and whenever there is a new version out (no betas)I update, with 8+ you can even do upgrades. And I never had regret of upgrading my os with every new version. It on’y became faster for me! So people should not whine my 2 euro cents 2003-02-15 12:24 pm sedition : “Honeslty people. Linux is free already, do some work to keep your machines up to date.. Do you expect Linus to pop-up like ‘clippy’ whenever you need to update your kernel…. ”GNU/Linux isn’t free. If you are a normal user, it costs you the internet conection, which is not free. There are the cd roms, too.And the update don’t generally concern the kernel. Things like sshd , pro ftpd, apache are by far more concerned. 2003-02-15 12:37 pm Admins are fully responsible of the systems they have to manage. I really don’t understand why people blame Microsoft or Linux distro vendors for not maintaining their systems. It’s not their work! If sys admins are not capable to inform themselves about new vulerabilities and to patch these from source, they should be fired is all.Latest server worm Slammer propagation is due to admin’s incompetency at 99%. Security fix available for 6 months, and they were not capable to patch it, pfff. Moreover SQL servers should not be directly accessible from the Net. I call that incompetency of admins, not software vendors.As for OSS, it’s free, so you can upgrade as much as you want. And if you don’t want, simply don’t. There won’t be much thing to patch for the next several years: it’s open, it’s old and popular, then everyone already knows about security holes if there were any.Half of sys admin worldwide should be fired, then networks will be safer. 2003-02-15 12:47 pm GNU/Linux isn’t free. If you are a normal user, it costs you the internet conection, which is not free. There are the cd roms, too.Free as in freedom, not as in free of cost. Makes a HUGE difference. It hasn’t been stated anywhere that GNU/Linux has to be free of cost. I really wonder why people think so. It only has to be free of speech, then it can be virtually free of cost, just a consequency.As for the internet connection, it makes me laugh as i’ve never seen any server not running over a network . And if it’s running locally and not connected to outside networks, there’s no attack risks. 2003-02-15 1:19 pm Half of sys admin worldwide should be fired, then networks will be safer.Amen brother.You want to upgrade your software? Download, uncompress, less README, compile, install. I’m confused as to what part of those instructions is so hard for sys admins to follow.Need an RPM? There is a spec file somehere. Administering a Redhat server and don’t know about RPMs? That’s your fault.My $0.02 CDN 2003-02-15 2:05 pm — My system is better, yours sucks.— No, mine is better, yours is lame.— Mine is professional.— Mine is Free like our Forefathers.… and so on, and on and on…This discussion really adds little to a site where you come supposed to read about other systems.First thing, too many news about Linux. Let other systems appear, too! Secondly, remind that not everything M$ does is “innovation” in Windows, their OS (if there ever was any MS innovation that wasn’t copied from Apple…).And last, but not least, Windows buyers don’t want Linux. They don’t care about freedom (many are involved in taking freedoms from their clients), quality is _not_ a major concern (they throw more underpaid suckers at the problem) and learning about OSes is considered waste of time/zealotry in some business environments. And many _are_ greedy professionals trying to climb up the organizational ladder by not so noble means: for them Gates, is a model of success.Conversely, Linux users won’t accept lame software. They (we) want software so good that one can see the sourcecode is itself also neat — even if it is paid and not gratis. So forget about binary-only, it just doesn’t cut. But open source proprietary is ok (well, some radicals in [Debian|FSF] might say otherwise).In my own (limited) experience, many things we Linuxers say go unheard: buyers are so used to “vendor bullshit” that they don’t even consider the possibility that someone could be honest. They think Linuxers lie about “their product”, just like other makers do — especially M$.I can’t speak for everyone, but maybe we Linuxers are so tired of being deceived that any proposal by M$ might be totally unbelievable — is this why we suspect Mono, in spite of Miguel’s obviously high competence?Conclusion: maybe OSNews need a change. Or maybe I need. 2003-02-15 2:20 pm Duh, some of you guys (sedition & Ced) didn’t really read the article, did you?Firstly, business users trust preferrably vendor patches, not 3rd party patches. There is no room for interpretations here. So if next year January organization wants to patch few hundred of their RH8 workstations they can’t. And should they trust patches which are available from *.126.novustelecom.net or *.wanadoo.be? Don’t think so. Should they install 8.x/9.x all over the place? Don’t think so.Secondly – comparison with slammer & sysadmins not patching their servers is a bit off here. It’d be correct comparison if MS *didn’t* release the patch in the first place and each admin would’ve had to hack up his own. 2003-02-15 2:37 pm > Secondly – comparison with slammer & sysadmins not patching their> servers is a bit off here. It’d be correct comparison if MS *didn’t* release> the patch in the first place and each admin would’ve had to hack up his> own.or if the patch was not picked up by automatic update, and was not yet included in a service pack.in this case the admin had to manually patch his system by overwriting some dll’s 2003-02-15 3:19 pm Firstly, business users trust preferrably vendor patches, not 3rd party patches.As far as I’m concerned, I trust much more patches coming from the actual developpers themselves than from any vendors. I especially don’t trust vendors as their business model is, in part, based on those updates, so could be tempted not to fix everything at once, or introduce newer bugs (intentionaly or not). Well, as far as MS is concerned, it’s clearly their politic. Just look at how they managed with Windows 9.x/ME, terrible.So if next year January organization wants to patch few hundred of their RH8 workstations they can’t.How they can’t? No rpms? Bah, they have admins or not? They can update and get patches from source (if they don’t want to update the whole distro by rpm). A “few hundred” is “a bit” ironic. I dunno much about RH8, but I hardly can believe it will have hundreds of security holes within a year, even by installing 4000 extra and useless packages.And should they trust patches which are available from *.126.novustelecom.net or *.wanadoo.be? Don’t think so.Should they trust OSes and applications developped by a community formed of thousands of people worldwide working mainly as a hobby? That’s all about GNU/Linux. If you don’t trust it, don’t use it. It’s as simple as that. RH or Mdk only provide some support against $$$ and help a bit developping the whole Linux thing.Does RH or Mdk could have developped Linux all by themselves? Definitely not. Linux is mainly based on volunteer work. Then, why trust that volunteer work and not the patch made by the very same volunteers?Because in most people’s mind of this capitalism world we all live in, money is a guarantee of quality. If you pay something, it’s obviously better than something free. How could it be otherwise? That’s very lame thinking, but so common. And it’s so much easier to blame and sue a company because you mess up your computer or got viruses than take into consideration you’re the only responsible of your own errors.Secondly – comparison with slammer & sysadmins not patching their servers is a bit off here. It’d be correct comparison if MS *didn’t* release the patch in the first place and each admin would’ve had to hack up his own.Er… isn’t it what I’ve said? Blaming sys admins for not applying a patch already available for months? 2003-02-15 3:22 pm Use debian!!!! 2003-02-15 3:26 pm So if next year January organization wants to patch few hundred of their RH8 workstations they can’t.Silly me, i’ve badly understood. Forget my 2nd phrase repsond to that. 2003-02-15 3:27 pm Use debian!!!!I do Apt-get update && apt-get upgrade as cron job is all to care about 2003-02-15 3:30 pm and if a company needs a comercial distro, use Xandros and you can still use the security updates from debian:-) 2003-02-15 4:25 pm This has been mentioned here before, but if you use Red Hat Advanced Server you won’t have any problems – as long as you pay for support. 2003-02-15 5:16 pm No support from MS for its products = no patches. How the hell are you supposed to apply a patch if there isn’t one to begin with? Not like you have the source code to work with. 2003-02-15 5:19 pm And why is it that the ultimate answer to every single problem with Linux known to man is ….‘Use Debian’??? 2003-02-15 6:25 pm > And why is it that the ultimate answer to every single> problem with Linux known to man is ….>> ‘Use Debian’>> ???Its not really the ultimate answer (besides 42)…actually, my solution is‘Use Gentoo’It is the alternative that allows you to have apt-get functionality and conveinence except your e-penis can be longer since you also compile everything from source…By the time Linux is actually used by mainstream people (i.e. more than ~1% of desktops), hopefully they will have automatic updating all worked out for those people that actually just use their computers instead of worrying about updating them constantly… 2003-02-15 7:12 pm “Latest server worm Slammer propagation is due to admin’s incompetency at 99%. Security fix available for 6 months, and they were not capable to patch it, pfff. Moreover SQL servers should not be directly accessible from the Net. I call that incompetency of admins, not software vendors.”Not if the Security fix available to fix this vulnerability breaks something else. This IS a known problem with past Microsoft fixes/patches. Just HOW many things did Win2k SP1 and 2 break?Also, MOST of these fixes are couched in language stating to apply the patch ONLY if you think it affects you. How do you know? How long will it take you to test whether or not you might be affected, or whether or not the patch breaks things?It’s not due to incompetence, it’s due to time constraints and lack of resources. And what if your application will be broken by that fix? Who fixes it? MS, or your application vendor? What if neither do?And NO, the answer is not use Debian, Gentoo, Linux, BSD, or OS X!Those companies with thousands and millions invested will NOT be able to rip all that out without, yep, MORE testing conversion and whatnot. I haven’t seen much on the web about services offered which will convert an entire company’s infrastructure over with NO loss of functionality. If you can’t do that, then you simply can’t tell someone to ditch MS and go with something else.Incompetent is telling someone that they’re incompetent because they haven’t risked gutting their company’s infrastructure because of a vulnerability they didn’t or couldn’t risk patching. Actually, that’s not even incompetence, it’s utter arrogance. 2003-02-15 9:25 pm > Should they trust OSes and applications developped> by a community formed of thousands of people worldwide> working mainly as a hobby?Thats why they do pick RH or SUSE to begin with. They don’t pick Vector or Gentoo or whatever other distro maintained by hobbyists (albeit very good hobbyists). Corporate clients trust corporate vendors. IT manager suggesting desktop distro (not server, mind you) with no real tangible company behind supporting it would proabably get spanked if not kicked.> RH or Mdk only provide some support against $$$> and help a bit developping the whole Linux thing.Yeah, except they changed the rules in mid-game. Thats what pisses people off. If they (RH & MDK) would’ve announced 1-year life cycle as they released their distros then it would’ve been fairer.> Then, why trust that volunteer work and not> the patch made by the very same volunteers?Distro is not separate pieces thrown together. You’d expect them to work, too. Naturally the best source for compatibility and errata would be the vendor. Does the version 0.78 of your FavouriteProgram break anything in your system? Author doesn’t proabably know. Distro vendor proabably knows. Thats the difference.It’s not like you can’t keep your RH or MDK up to date afterwards, it’s just that it’ll take much more time and resources to do so. 2003-02-15 9:45 pm “Firstly, business users trust preferrably vendor patches, not 3rd party patches. There is no room for interpretations here. So if next year January organization wants to patch few hundred of their RH8 workstations they can’t. And should they trust patches which are available from *.126.novustelecom.net or *.wanadoo.be? Don’t think so. Should they install 8.x/9.x all over the place? Don’t think so.”Whoa. Are you letting a MBA run your servers?No offense but I would trust a 3rd party patch from Joe Blo for OpenBSD over some vendor certified, shrink wrapped hack from Microsoft. Vendor certification doesn’t make you any safer or correct. 2003-02-15 11:25 pm Firstly, business users trust preferrably vendor patches, not 3rd party patches. There is no room for interpretations here. So if next year January organization wants to patch few hundred of their RH8 workstations they can’t. And should they trust patches which are available from *.126.novustelecom.net or *.wanadoo.be? Don’t think so. Should they install 8.x/9.x all over the place? Don’t think so.Where do you think RedHat gets most of the patches is provides to you during the 18 Months? 2003-02-15 11:29 pm It is the alternative that allows you to have apt-get functionality and conveinence except your e-penis can be longer since you also compile everything from source…That is great Kai! I’ve never heard the term e-penis before, but it is probably the most accurate technical term I’ve seen used here in a long time. 2003-02-16 2:00 am Gentoo is awesome, I finally got it installed!!However, Gentoo, Debian, (enter your fav community distro here) are not the answer businesses are looking. They want that vendor support, regardless if there is any real value in it. In my experience, the big wigs get a bit skeptical when they don’t have a company behind the product they’ve invested a lot of time and money into. Maybe they want that to be able to point a finger when things go wrong, who knows. 2003-02-16 7:33 am Read, for gods sake, what people write, will you?Redhat is responsible for making those hundreds of pieces of software work together. Thats what “putting out a distro” is about. It’s not just about putting out collection of software on CD. You make sure those programs and patches actually work with other sowtfware user has (since hes using the same distro you know). Only distro vendor can assure which versions and which patches will work with your system.I’m not interested in arguing pro or con DIY approach. As home user or owner of small independent firm with staff consisting entirely of geeks – why not. Most businesses will not get DIY distro. Version with no vendor support turns into DIY distro. 2003-02-16 5:10 pm -“Seems that if the packages were a little easier to upgrade, -all this distro updating wouldn’t be necessary.”–-“Exactly.–-Just throw away Mandrake and Redhat away and use Debian. -Apt-get update && apt-get dist-upgrade will solve your -problems.”And what’s wrong with ‘up2date’ (redhat) and the *network capable* software manager in mandrake?Maybe reading the basics in the instruction manual would ease the use of your particular distro…… 2003-02-17 4:04 am Redhat is responsible for making those hundreds of pieces of software work together.I beg to differ. Having used RedHat extensively in the past, I have found that they do package a bunch of stuff, but they do not make them work together. In fact, most RedHat releases (at least 6.x and earlier) were not self-hosting, meaning all the software they shipped could not be built on the system it was shipped with.Thats what “putting out a distro” is about. It’s not just about putting out collection of software on CD.You are right. It is about providing a value added solution on top of existing software. For example, installers, icons, support, etc. They do not, however, rewrite Sendmail, ftpd, apache, and so forth specifically for RedHat.Only distro vendor can assure which versions and which patches will work with your system. Obviously never patched a system have you. 2003-02-18 3:47 pm “Open source opponents have for years warned, “You get what you pay for.””And how is this an argument *against* open source? They’re right: you get what you paid for. So if you want more support, then pay more!