A consortium of five companies, including MandrakeSoft, has
been awarded a contract from the French Ministry of Defense to deliver
a Linux-based OS certified at Common
Criteria Evaluation Assurance Level 5 (CC-EAL5). The three-year
contract is worth €7 million, with MandrakeSoft's share totaling
€1 million. Participating in the contract with MandrakeSoft are Bertin
Technologies, Surlog, Jaluna, and Oppida.
We contacted MandrakeSoft co-founder Gaël Duval about the contract and
to get a little more information about the process. The EAL5 certification may
seem a bit ambitious, particularly since no other Linux vendor has achieved
that level of certification for a Linux OS. In fact, none of the competing
OSes have reached that level of certification either.
At the moment, the Linux distribution with the highest level of EAL
certification is Novell's SUSE
Linux Enterprise Server (SLES) 8 (PDF), which achieved EAL3+ with IBM's help.
There are seven levels of CC-EAL certification. In a nutshell, a EAL5
certification designates that a system's features and security level are
certified, and that development follows "formalized or
semi-formalized methods."
We asked Duval if MandrakeSoft had any prior experience with this type of
project:
Not exactly but we introduced advanced security features in Mandrakelinux
products early (Mandrakelinux 7.0 which was released on early 2000). We
also sponsored projects several Open Source security projects. And we have
a line of security products (Single Network Firewall & Multi Network
Firewall). So security is a long-time tradition at Mandrakesoft.
Of course, MandrakeSoft is not the only vendor working on this project. Oppida is an officially
authorized Common Criteria Information Technologies Security Evaluation Facility
(ITSEF), making it an ideal partner for a project of this kind. Surlog's expertise is in
providing tools to evaluate software and system dependability. Jaluna provides real-time and
high-availability solutions, including solutions based on Linux.
We also asked Duval how MandrakeSoft became involved with this effort, and
how the consortium came into being. Duval didn't provide a great deal of
detail:
We know these companies and they know us, so it's a natural arrangement
because every actor has some technology and expertise to bring.
Unfortunately, it will be some time before the work that the consortium is
doing shows up for use by the community. According to Duval, the plan is to
keep development separate from Mandrake Linux development:
It will be totally outside of the Mandrakelinux product roadmap. Several
actors take part in this project, which will be released in Open Source
after completion.
Duval did allow that some of the work might show up "later" in
the development process. We also asked what license would be used for any
work created for this project. Duval said that he doesn't have any
information about licensing details, just that it would be an open source
license.
Three years is quite a long time, so it will be interesting to see whether
MandrakeSoft is the first Linux vendor to reach EAL5, or if Novell or Red
Hat beat them to the punch. Novell has already said
that it hopes to gain EAL4 certification in the near future. No doubt,
Novell will be setting its sights on EAL5 shortly thereafter.
For the larger picture, of course, it won't matter whether Novell or
MandrakeSoft reach the finish line first. Achieving EAL5 will be yet
another feather in Linux's cap, another milestone reached that will allow
governments and organizations to move to Linux instead of proprietary
offerings.
(
Log in to post comments)