Re: [inbox] Re: RE: Linux (in)security

[Ron DuFresne <dufresne () winternet com>]

On Thu, 23 Oct 2003, William Warren wrote:

> This is am IBM problem not a Redhat and/or Linux problem.

No, red-hat problem really.  IBM does the backend contract for support, be
the dist Suse or red-hat.  Red-hat holds the responsibility for
maintaining the RPM's.  Now, if the RPM's are not kept up to date, and
red-hat does not properly keep IBM clued as to how 'fresh' their RPM's
are, it falls into red-hats hands.  If Suse were to do the same <maybe
they do, maybe they are better prepared for their push into the IBM
mainframe world?> then they would be suffering the same problems to their
prospective customers as well.  Look at any of the past red-hat advisories
and  their corresponnding platforms and  fixup RPM's to address the
issues; note that the s390 platform is *not* represented.  This puts the
onus of determining how fit and up-to-date the red-hat RPM's are for this
platform soely upon the customer.  As I said, red-hat was unprepared  for
this push having devoted little if any resources to it's maintainance
schema.  Their  focus having been the  i386/ai64/ppc platforms.

Is this changing?  We'll see as they rollout red-hat's version 9.0 for the
s390 platform and how they commit to their backend support schema.

Thanks,

Ron DuFresne


> Ron DuFresne wrote:
> >     [SNIP]
>
> > red-hat pushes out the product, which IBM is the back channel support for.
> > I ask in the very first meeting with the red-hat sales-lizard;  Umm, there
> > was a vuln released today that affects the kernel, I see red-hat addressed
> > this on the i386 and ia64 as well as the ppc platforms, has it been
> > addressed on the s390, or can you just plain tell me we are not vuln?  To
> > which the red-had-lizard was clueless to the whole concept.  And it took
> > 4-5 months for IBM to get from red-hat their 'updates' page for s390 rmp's
> > all of which were older then known issues/exploits.  Turns out IBM claims
> > to have been unaware that even though red-hat is chanrging for the
> > platform enterprise release, They have not devoted any backend resources
> > to keeping it current.  Tells me that also, IBM could not have conducted
> > an audit on what is mont maintained, let alone what was released.
> >
> > And points to the fact that even though it's possible to play linux on the
> > IBM platforms, it's not really ready for prime time.
> >
> > Thanks,
> >
> > Ron DuFresne
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > "Cutting the space budget really restores my faith in humanity.  It
> > eliminates dreams, goals, and ideals and lets us get straight to the
> > business of hate, debauchery, and self-annihilation." -- Johnny Hart
> >     ***testing, only testing, and damn good at it too!***
> >
> > OK, so you're a Ph.D.  Just don't touch anything.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> May God Bless you and everything you touch.
>
> My "foundation" verse:
> Isaiah 54:17 No weapon that is formed against thee shall prosper; and
> every tongue that shall rise against thee in judgment thou shalt
> condemn. This is the heritage of the servants of the LORD, and their
> righteousness is of me, saith the LORD.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html