LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora and long term support

Fedora and long term support

Posted Oct 17, 2008 21:51 UTC (Fri) by JoeBuck (subscriber, #2330)
In reply to: Fedora and long term support by Tet
Parent article: Fedora and long term support

I've run every Fedora since FC1, as well a the old box-set Red Hat releases going back to the late 1990s. It was clear when FC1 came out that it was, in effect, the beta for what was going into RHEL releases, so everyone expected it to be bleeding edge and a bit rough, though not as rough as Red Hat marketing people of the time were suggesting (they were actively trying to scare non-hobbyists away from Fedora by exaggerating its instability and risk).

(Log in to post comments)

Fedora and long term support

Posted Oct 18, 2008 1:24 UTC (Sat) by SEJeff (subscriber, #51588) [Link]

Fedora Core 1 was tolerable. When they released Fedora Core 2 with SELinux
turned on by default was when it was a nightmare. I've got a Fedora 10 box
beside me and it is actually quite nice. Most of my workstations are Ubuntu
thought because it "just works TM".

Ubuntu doesn't belong on a server, RHEL or CentOS does. Just my 2 cents.

Fedora and long term support

Posted Oct 18, 2008 1:49 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]

Fedora Core 2 did not include SELinux by default in the GA release. You are plain incorrect about that. I assume you are referring to the development release (rawhide), when you refer to "Fedora 10" as well.

Fedora and long term support

Posted Oct 19, 2008 0:22 UTC (Sun) by sbergman27 (guest, #10767) [Link]

Fedora Core 2 included it. IIRC it was set to permissive mode or disabled. I can't remember which. But I'm not sure what the significance of your "correction" is other than to prevaricate, since the SELinux nightmare did begin in earnest in Fedora Core 3. (I recognize a tactic that you have employed previously.) It was only in FC6 that users were even provided the tools to fight SELinux effectively. Does the fact of its introduction being in FC2 or FC3 really make a difference today, 4 years later?

Fedora and long term support

Posted Oct 19, 2008 0:49 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

Getting the details right is always important even if we are discussing something in the distant past. SELinux was not enabled by default in Fedora Core 2. So the claim that it was a "nightmare" for that release was obviously incorrect. If your experience is only with a test release of Fedora Core 2 then extrapolating it to the GA release or even a later release would be incorrect which I have seen many many users do.

Fedora Core 3 (only about a dozen network facing services and I doubt it presented any major obstacles) and later releases up until Fedora 8 enabled only the targeted policy by default. Strict policy was available in the repository however. In Fedora 9, strict and targeted policy was combined together.

Tools related to policy management were provided right from the beginning including ones to manage SELinux booleans, audit policies etc. I am assuming you are referring to SELinux troubleshooter which is only one among many of the tools provided within Fedora related to SELinux.
system-config-securitylevel and later system-config-selinux was available for desktop users as well.

Fedora and long term support

Posted Oct 19, 2008 2:10 UTC (Sun) by sbergman27 (guest, #10767) [Link]

"""
Getting the details right is always important even if we are discussing something in the distant past.
"""

The most important detail regarding SELinux is that there has been a great deal of pain experienced by users. Turning off SELinux is still a standard policy among those users, though actually saying so in public has become stigmatized.

It is good that Fedora devs had the presence of mind to provide tools to turn it completely off.

Fedora and long term support

Posted Oct 19, 2008 3:40 UTC (Sun) by JoeBuck (subscriber, #2330) [Link]

I've run my home systems with SELinux on for some time. By now, they've gotten the kinks out, and the only way to do it was to get lots of people running it and working out the bugs.

Fedora and long term support

Posted Oct 19, 2008 3:58 UTC (Sun) by vonbrand (subscriber, #4458) [Link]

Same here. Yes, it was a pain at the start, now it is almost unnoticeable.

Fedora and long term support

Posted Oct 19, 2008 3:59 UTC (Sun) by sbergman27 (guest, #10767) [Link]

"""
I've run my home systems with SELinux on for some time.
"""

Good for you. Last I looked adding a printer using lpadmin with SELinux enabled created a situation where the printer worked perfectly... until the system was rebooted, and then it was as if you had never executed any of your lpadmin commands.

"Security" is supposed to do less damage to you than to the other guy. I'm not at all sure that SELinux achieves that goal except in certain select circumstances.

Fedora and long term support

Posted Oct 19, 2008 10:48 UTC (Sun) by dwmw2 (subscriber, #2063) [Link]

Good for you. Last I looked adding a printer using lpadmin with SELinux enabled created a situation where the printer worked perfectly... until the system was rebooted, and then it was as if you had never executed any of your lpadmin commands.
Bug number please. I'm willing to bet it got fixed within days of being filed.... if you actually bothered to file it. The SELinux folks are really good at responding to bug reports like that.

Fedora and long term support

Posted Oct 19, 2008 16:15 UTC (Sun) by sbergman27 (guest, #10767) [Link]

It was in RHEL/CentOS. So it made it quite a few "days" before being fixed. Months to years, actually.

Fedora and long term support

Posted Oct 19, 2008 22:49 UTC (Sun) by wtogami (subscriber, #32325) [Link]

> It was in RHEL/CentOS. So it made it quite a few "days" before being
> fixed. Months to years, actually.

You claim to be impartial, yet I find many of your comments to be incredibly annoying and with half-FUD.

http://people.redhat.com/dwalsh/SELinux/RHEL5/
On this particular topic, dwalsh regularly responds to RHEL bug reports and updates test packages of RHEL5 SELinux policies. He wants people to try the latest crafted policies here which eventually get pulled into the next RHEL5.x update release.

Where is the bug that you filed for your issue? If you speak in generalities without citing real examples then you are spouting FUD.

Fedora and long term support

Posted Oct 20, 2008 2:09 UTC (Mon) by sbergman27 (guest, #10767) [Link]

"""
You claim to be impartial, yet I find many of your comments to be incredibly annoying and with half-FUD.
"""

Warren,

I don't claim to be impartial. I claim to be a RHEL/Fedora fan with some complaints. I'm sorry that you find my comments to be annoying, and take issue with your claim that they are "half-FUD". I certainly respect your contributions.

Please do not hide behind the "where's your bug report" facade. I may have reported it. But I think I worked around that irritation and moved on. IIRC, I had 6 retail stores to open that weekend.

Bugs in RHEL/CentOS are rare enough. I don't want to give the impression that they are not. But the bug I reference did make it through the process, bug number or no. And it's Fedora that's really buggy.

Fedora and long term support

Posted Oct 20, 2008 10:55 UTC (Mon) by rahulsundaram (subscriber, #21946) [Link]

Any actual bug reports related to SELinux are usually fixed within a very short time. As David Woodhouse indicates, SELinux developers are among the most responsive and fix any real issues very quickly. Despite unsubstantiated claims to the contrary, actual stats (smolt, RHN etc) indicate that majority of users leave SELinux enabled on their systems and that number tend to go up over time.

There are many real world security exploits getting mitigated or prevented by SELinux. It is also getting adopted by Ubuntu and even OpenSUSE. Feel free to draw your own conclusions from all that but it seems obvious to me.

Fedora and long term support

Posted Oct 20, 2008 14:04 UTC (Mon) by sbergman27 (guest, #10767) [Link]

You don't have to take my word for it. Install RHEL/Centos 4.3. Create a printer with lpadmin. Test it out. Reboot the machine... and you will find that it does not even appear in printers.conf. This may be true in the current 4.7 release, as well. It made it through Fedora and at least 4 releases of RHEL. Why not 4 more?

Ubuntu provides the Selinux libraries in Intrepid. But the far more sane and less problematic AppArmor is used by default. I have not kept up with what the MS-Linux devs are doing. But last I looked, AppArmor was the default there, as well.

Fedora and long term support

Posted Oct 20, 2008 15:34 UTC (Mon) by rahulsundaram (subscriber, #21946) [Link]

Filing a bug report is easier for you and certainly much easier than getting me to install another operating system to verify any bug. I am not questioning your claim. Merely saying that reported bugs have a much better chance of actually getting fixed and that SELinux developers are a pretty responsive bunch in my experience.

Ubuntu doesn't seem to have included the latest policies yet but they likely will considering that Tresys is working on it.

I am not sure, Apparmor has a bright future considering Novell's action's.

http://www.news.com/8301-13580_3-9796140-39.html

It is unlikely, Ubuntu has developers working on it either. This is a still a solution that hasn't gotten upstream yet though it might change at some point

http://james-morris.livejournal.com/35287.html

Let's see

Fedora and long term support

Posted Oct 20, 2008 19:02 UTC (Mon) by sbergman27 (guest, #10767) [Link]

"""
Filing a bug report is easier for you and certainly much easier than getting me to install another operating system to verify any bug.
"""

That's pretty typical of my interaction with Fedora officials: "You are the user. We expect you to do the work".

No wonder Fedora has lost so much ground with Linux users over the last few years. I won't mention which distro has picked up all the ground that Fedora has lost.

Fedora and long term support

Posted Oct 20, 2008 19:38 UTC (Mon) by rahulsundaram (subscriber, #21946) [Link]

Steve, you are now bordering on trolling. You are talking about a CentOS bug and then referring to losing Fedora users. Get your story straight. No project can magically fix issues without it getting reported with the specific details.

If popularity is the only argument for all the tired conversations, Windows must be fixing all their bugs to be so popular! Yes, Fedora does rely on its users to share some of the burden and I believe so does all Linux distributions. In this case, it is simple: You as a user report the SELinux bug you claim to run across and developers will fix it pretty quickly usually completely for free. Seems a fair deal to me. I am not going to install CentOS 4.7 to verify the bug you claim to exist.

A) Because I am not a CentOS user. I run Fedora on pretty much all my systems 24/7 and my primary system at the moment runs rawhide in part because I want to help fix bugs before it hits most users. That will help you, the CentOS user as well in the long run but not immediately.

B) The particular issue with printers is unlikely to be something I can verify easily considering that I don't have access to a printer at the moment.

If that makes me a bad guy, so be it. Good luck.

Fedora and long term support

Posted Oct 21, 2008 3:13 UTC (Tue) by sbergman27 (guest, #10767) [Link]

"""
Steve, you are now bordering on trolling.
"""

I don't think so. Microsoft certainly must be doing a few things right to retain their popularity with the general public. Though, as we both must know, they do a few things wrong, as well. Conversely, Fedora does a few things right, and a lot of things wrong, as well.

Fedora and long term support

Posted Oct 21, 2008 6:42 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]

I am sure Fedora does some things wrong just like any other project but not fixing unreported CentOS bugs isn't in that list. I am happy to tell you that.

Fedora and long term support

Posted Oct 20, 2008 23:27 UTC (Mon) by mmcgrath (subscriber, #44906) [Link]

"No wonder Fedora has lost so much ground with Linux users over the last few years. I won't mention which distro has picked up all the ground that Fedora has lost."

That's so strange - all of our metrics, which are publicly available btw, show a continued growth in use of Fedora. As to which distro seems to have picked up all the ground we've "lost" which metrics / numbers are you referring to?

Fedora and long term support

Posted Oct 21, 2008 3:01 UTC (Tue) by sbergman27 (guest, #10767) [Link]

As to which distro seems to have picked up all the ground we've "lost" which metrics / numbers are you referring to?

Do I even need to mention it? No doubt the absolute numbers show an increase. Go Linux! Go Home Computing, and Computing in general!

But Fedora's percentage of the market has fallen dramatically in the last few years.

Fedora and long term support

Posted Oct 21, 2008 3:11 UTC (Tue) by mmcgrath (subscriber, #44906) [Link]

Sorry, that's an opinion. Not a fact. Show me metrics from any distro or show Fedora how it's own metrics show lost share. Any actual facts released by a distro will do, otherwise you're treating opinion as a fact.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds