[ale] NanoPC

Lightner, Jeff JLightner at dsservices.com
Thu Mar 6 15:05:34 EST 2014


In the past they had specific quotes on their site telling you not to use Fedora for Production.   They seem to have gotten rid of that but this link:
http://fedoraproject.org/wiki/Objectives

Says in part:
“Objectives Outside of the Fedora Project
The Fedora Project is not interested in a slow rate of change between releases, but rather to be innovative. We do not offer a long-term release cycle because it diverts attention away from innovation. For those community members who desire a long-term release cycle, there are derived distributions that satisfy this requirement. For community members who require a business-class support model beyond community maintenance, we recommend Red Hat Enterprise Linux. Our center of innovation and fastest rate of change is in our development branch.”

It also in other areas mentions the short life time saying that essentially they do a new release every 6 months and typically only maintain 2 releases back.

There are different philosophies on the ways to maintain things.   Most enterprises live with applications far longer than the year offered by such an aggressive release cycle.    The fact that Fedora and other distros exist despite that is an indication that not everyone feels the need to go that route.   However, if you work in organizations such as I have you find you’re often using legacy products that simply don’t work on newer versions of things and/or are not supported by their vendors on those things.   (In fact I just recently spoke to IBM about one of their Products we were running on HP-UX 11.11 and the “updated” version still only runs on HP-UX 11.11 on PA-RISC even though HP quit making PA-RISC at the end of 2009 and had EOLed 11.11 long before that.)

I’m sure the next post will be telling me I should be the tail that wags the dog and force the company to abandon the product (which in the IBM case we luckily ARE doing) but that is not realistic in most organizations.   Most companies do NOT exist to run IT – they run IT to help their existence so business considerations outweigh technology considerations almost always.

By the way – the easier more obvious solution the security scanning issue I mentioned is simply to turn off the portion of the application that reports its version.   As I said the scanning software is brain dead so it seldom checks to see if you are ACTUALLY vulnerable – it just checks versions and if it can’t find one it ASSUMES you are NOT vulnerable.


From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim Kinney
Sent: Thursday, March 06, 2014 2:29 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] NanoPC



On Thu, Mar 6, 2014 at 1:35 PM, Lightner, Jeff <JLightner at dsservices.com<mailto:JLightner at dsservices.com>> wrote:
I was being facetious with the Fedora comment.

Fedora is bleeding edge and they tell you NOT to use it for Production as most releases are not supported for more than a year.  You’d be constantly upgrading and probably breaking Production.

Fedora doesn't say "don't use our stuff". That seems to be a management line :-) I have more issues with ancient crap lying around only getting security fixes (RHEL4) or bug  and security fixes (RHEL5) than still getting new hardware patches as well as bug and security fixes (RHEL6). I ran fedora as public facing servers for years because it was where the best and most current security tools were found. Selinux in RHEL is 2-3 years behind. The long support releases like RHEL are for business who never, EVER upgrade anything and are relying on 10+ year old applications for their core business that are not under active development. I get the allure but no code is perfect and it ALL requires updates over time (except the software that ran the space shuttle - only 7 mistakes in 20+ years of use. Not bugs or crashes. Mistakes. As in all the processes were proven mathematically before coding began. there were 7 mistakes in implementation. NO errors, failures, bugs or crashes ever!).

It is however used as a test bed for what ends up in RHEL eventually.

RHEL is a bit different from other distros as it focuses on stability by NOT updating every package to the latest upstream version over time.  Instead it starts with a given upstream version of a package then backports bug and security fixes into their version to help insure you’re not suddenly not changing underlying tools used by your static applications.   For most businesses this stability is an important consideration which is probably why it is so successful.

We have the same issues with developers often saying “hey install the latest php” and having to explain to them we won’t do that if it isn’t provided in the standard RHEL repositories.

No matter how I look at it, php makes my skin crawl and will for a long time to come.  The combination of php and mysql just screams "coding by kids with no understanding of good practices". Just because it's easy doesn't mean it's any good.

Another issue we see is most security scanning tools are brain dead and will flag properly patched RHEL versions of software as being vulnerable because they only look at the base upstream version and ignore the extended versioning RHEL puts its backported updates that address the same CVEs they’re flagging.

ARGH!!! Very frustrating! Only solution is to use tools that are designed to work with the distro in use. Might as well run a windows scanner on a RHEL box for all the good that's doing.










Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today!



---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140306/43ee1f0c/attachment-0001.html>


More information about the Ale mailing list