PDA

View Full Version : Reasonable security policy or not?



freedomforme
April 5th, 2006, 02:32 AM
Would like some feedback from others about whether they feel this is a good security policy for a commercial distro?

When asked if they have a security team?

No, we don't have a "dedicated" security team. We just are not that big.

Shoudn't you since your target market is not savvy enough to check and handle security related matters?

We take security seriously but we don't over react to security "holes". Many of these security holes are found by people TRYING to find holes, not found by someone having been exploited Just because someone can drive their car 50 miles per hour into a brick wall does not mean we should throttle cars back to only 25 mph. So we evaluate security holes to determine their risk, simply because we don't have the resources to chase after every hole.

Are all published security vulnerabilites handled by PACKAGEMANAGER? How does PACKAGEMANAGER know there is one?

as previously stated, we don't chase after ALL published vunerabilities.
================================================== ===================

Is this reasonable security for a commercial distro? Considering the company often makes this statement
One thing I think that's important to point out as well, is that ALL XXXXXXXX users, regardless if they have a PACKAGEMANAGER Service subscription or not, have access to security updates.

If I purchase the OS from them should I have to go out and chase down my own security updates and apply them which would mean I am no longer guaranteed support for my purchased OS since I used a unsupported method of software installation. Is this reasonable

If a vulnerability is considered serious by other distros is it reasonable to write it off as not important? Thanks for any input.

briancurtin
April 5th, 2006, 02:41 AM
what distro is this that you are talking about? it seems that you have gone out of your way to exclude their name. i went out of my way to avoid the question since we don't know what it is.

Virogenesis
April 5th, 2006, 02:45 AM
I believe hes talking about lindows\linspire or what ever and it depends on the user base that you are trying to attract .

freedomforme
April 5th, 2006, 03:07 AM
Sorry I forgot one so my post near the end doesnt make much sense. Of course, I rarely make sense! :)

When asked - You dont think that paying for the OS is enough to get some security updates?


Severe security holes can be made available to anyone who purchased the OS but they still have to have registered with PACKAGEMANAGER (regardless if their PACKAGEMANAGER account is active) otherwise PACKAGEMANAGER won't function. Most updates to programs, however, do require a membership to PACKAGEMANAGER. But you still have a choice to apply the update the old fashioned way.

Is this reasonable security for a commercial distro? Considering the company often makes this statement


One thing I think that's important to point out as well, is that ALL XXXXXXXX users, regardless if they have a PACKAGEMANAGER Service subscription or not, have access to security updates.

If I purchase the OS from them should I have to go out and chase down my own security updates and apply them which would mean I am no longer guaranteed support for my purchased OS since I used a unsupported method of software installation. Is this reasonable

Oh and I specifically didnt mention the name so the policy can be evaluated fairly or as fairly as possible. Thanks.

prizrak
April 5th, 2006, 03:39 AM
It very much depends. When it comes to FOSS software updates should be free, at the same time no one is stopping the user from dling the software and updates on their own bypassing CNR (which is NOT just a package manager). The payment is for the servcie that makes it easier to install the software not the software itself. As far as security updates go, each OS has it's own support cycle and procedures. I would say that its a sound policy for them as they claim they do not have the resources. Luckily there are many distros to choose from.

freedomforme
April 5th, 2006, 03:53 AM
Ok, let me rephrase a bit one one part...

If a company says this

One thing I think that's important to point out as well, is that ALL XXXXXXXX users, regardless if they have a PACKAGEMANAGER Service subscription or not, have access to security updates.

yet in actuality it is this

No, we don't have a "dedicated" security team. We just are not that big.

We take security seriously but we don't over react to security "holes". Many of these security holes are found by people TRYING to find holes, not found by someone having been exploited Just because someone can drive their car 50 miles per hour into a brick wall does not mean we should throttle cars back to only 25 mph. So we evaluate security holes to determine their risk, simply because we don't have the resources to chase after every hole.

Severe security holes can be made available to anyone who purchased the OS but they still have to have registered with PACKAGEMANAGER (regardless if their PACKAGEMANAGER account is active) otherwise PACKAGEMANAGER won't function. Most updates to programs, however, do require a membership to PACKAGEMANAGER. But you still have a choice to apply the update the old fashioned way.

is this reasonable?

freedomforme
April 5th, 2006, 03:59 AM
Also, is it reasonable to lead your customers into believeing that the operating system is secure and has all the updates and patches it needs when in actuality they just don't worry with any updates they do not feel is critical?

And is it reasonable that if I track down and apply a updatd package that I no longer am eligible for official support help from the company I purchased the OS from?

So if Ubuntu decided to go this route and not worry about any security updates they do not feel are critical enough to worry about then is that reasonable?

I am talking about published security vulnerabilities that have been reported AND have been fixed in updated packages or patches or whatever.

Iandefor
April 5th, 2006, 04:10 AM
Where are you going with this? At the moment, it sounds like you're going to turn this into a n indictment of Ubuntu.

freedomforme
April 5th, 2006, 04:23 AM
No I am wondering if that is reasonable for a commercial distro to do these things and if you feel like it is then how would you feel if a non-commercial distro did the same? Is it reasonable for a commercial distro to do these things?There is nothing to read into my questions. I was just wondering...

briancurtin
April 5th, 2006, 04:48 AM
its reasonable for anyone to do whatever they want. if you dont like it, you can look elsewhere.

mstlyevil
April 5th, 2006, 04:57 AM
Ubuntu will never change the way it does package management and updates. A third party application for package management will not change that. Ubuntu just can not be compared to comany XYZ since it is a community based distro with a six month development cycle.

freedomforme
April 5th, 2006, 05:00 AM
its reasonable for anyone to do whatever they want. if you dont like it, you can look elsewhere.

So it is reasonable for dahmer to drill holes in little childrens heads and pour acid in them? So it is reasonable if Debian decides to use child labor to churn out the next release? Nah....I dont think everything is reasonable.
You seem to confuse 'reasonable' with the word 'able'
I realize they are ABLE to do whatever they want. I am asking if this seems like a reasonable business practice for a company.

mstlyevil
April 5th, 2006, 05:01 AM
We know that you are trying to continue the conversation about Ubuntu, Linspire, and CNR. Kiwi already locked the other thread, so I am just going to do him a favor and lock this one.


This subject has been well and truely thrashed out here before. Also its not a reality at this point.
This thread is destined to go down the drain so I think its best ended here .