[linux-elitists] What to do about cluebatting such companies, that require possibly *YEARS* old Distros

Rick Moen rick@linuxmafia.com
Wed Jan 26 14:51:06 PST 2005


Quoting Aaron Sherman (ajs@ajs.com):

> Ok, enough of the humor.

Except, perhaps, for the funny kind.

 Let's keep in mind that Fedora is VERY new, and
> Red Hat Linux 7.3 was released in mid-may, 2002 -- less than three years
> ago!
[...]
> You are also ignoring the fact that we're talking about not upgrading
> systems in 3 years.... 3 years... that's a blink of the eye on most
> corporate timelines. 

Sounds rather like an RHEL customer.  There's a price to pay for being
both too cheap _and_ not competent to do it yourself -- about which,
more below.

> Why on earth would you expect software to be upgraded that fast when
> it comes with nearly no benefit to the company that does so (and
> before you say there are tons of benefits, please show me the examples
> of the companies that are running Red Hat/SuSE 7 that are being beaten
> out of their markets by the guys running the latest and greatest).

Those would be the ones whose key machines aren't crashing, leaking
confidential data, being defaced with H4X0R pages, and having their data
tampered with by random intruders.

So, some people, possible even on this list, seem to assume that all
that's required for a distribution to be maintained is for some
individual to read BugTraq diligently and fire off updates and errata
notices for every hole gossiped about^W^W disclosed there.  But not
everything reported there is real, not everything real is applicable,
not everything real and applicable is of equal importance, and not
every thing real, applicable, and urgent has one obviously best fix
(e.g., upgrade versus backport).  This is why distributions have
security teams.

If you're using a distribution and not assuming all security-patching 
responsibilities _personally_, you will be putting some level of trust
in a security team that distributes updates and errata notices.  In the
case of RH 7.3/9, as noted, the null choice is ill advised -- doubly 
so if you disable IP-filtering.  Triply so on _new_ installations of
already EOLed products.

Which leaves you with the need, in that situation to realise you have a
problem, and spend the twenty seconds of googling required to find
Fedora Legacy or a similar replacement security team, plus (optionally)
the RPM to retrofit yum or apt-rpm onto the system.

Which means you have to also decide how much trust you should vest in
Fedora Legacy (or similar).  I mean no disrespect to that project:  It's
set itself a tough and largely thankless job.  That job happens, in
their case, to be implemented via version upgrades to the latest
upstream rev. of each security-impaired package, rather than
backporting, so people who run EOLed distros because of
proprietary-application requirements may well be screwed, either way.

Or, the legacy-app box can be run in a (very) isolated playpen.

Honestly, didn't we already know all that?  




More information about the linux-elitists mailing list