Re: support for RedHat distributions

[Richard Blackwell <blackw@sfu.ca>]

Firstly, Martin, I just want to say thanks for the effort you have put
in with respect to linux security at SFU.  Linux has been a valuable
addition to our networking infrastructure here in Psychology and the
linux-security group has been an asset in managing that resource.  Your 
spear-heading efforts in developing the linux-security group and 
providing Linux security notices and updated RPMs are appreciated.  I 
sincerely hope that we can continue to pool information, share knowledge 
and exeriences and otherwise simply benefit from the collective 
conscious regardless of which direction we head.

Now, down to the business at hand...

Before looking at the alternatives you presented, let me present my
current situation.  I have three Red Hat Linux servers deployed; one web 
and database server, one software development system, and one box acting 
as a firewall/gateway to a subnetted lab.  All are running 7.2 and all 
are updated with subscriptions to RHN.  My needs for a Linux support is:

    - Risk Management tools - including centrally available security
      and errata updates.
    - Distributions that are supported for at least two years
      (longer = better).
    - A simple method of adding, updating and removing packages -
      read: RPMs or similar - tarballs don't cut it.
    - Reasonable cost - $349 USD/machine/year is not reasonable when
      it is the Linux community developing the updates and Red Hat
      merely providing a delivery service.  The current cost,
      $60 USD/machine/year is reasonable.

Alternative 1: Fedora Linux - Red Hat has made it clear that Fedora is
not geared towards the production environment.  I'm not going to test 
that claim.  Following Fedora would be a very expensive solution in 
terms of time spent testing distributions and application software and 
maintaining production systems.  Further, deploying bleeding-edge 
software raises security risks to an unwarranted level.

Alternative 2: SuSE - I will probably test-drive SuSE.  What concerns me 
about SuSE however is that the benefit over a Red Hat product only 
pertains to the 9.0 Professional package; their enterprise server line 
is more expensive than Red Hat's to purchase and yearly maintenance is 
almost as expenensive as Red Hat.  It is unclear to me at this time 
whether nor not SuSE's "free" maintenance program on 9.0 Professional 
would cover the necessary server components that I need to run (e.g. 
Postgres) or if it would only cover the packages that are part of the 
Professional release.

Alternative 3: Debian - Could probably make this work, but would prefer 
an RPM-based solution.  Third-party support is, as you mentioned, also 
an issue.

What I "wish" is that Red Hat would provide its existing update service 
at a reasonable price!  I e-mailed Red Hat two weeks ago, asking if they 
were considering a Educational pricing on RHN for the Enterprise Server. 
  They have yet to respond.

My decision on which direction I will take will likely be influenced by 
what we (SFU's linux users) might be able to do collectively.  I look 
forward to hearing where others are with this issue.

Martin Siegert wrote:

> Dear Linux-security subscribers:
> 
> ... there will be none (see subject).
> 

-- 
Cheers,

Richard Blackwell                       Ph : 604.291.4092
Manager, Information Technology         Fax: 604.291.3427
Department of Psychology                RCB 5320
Simon Fraser University