Sites which have deployed Red Hat Linux have a
difficult choice ahead of them. In the near future, Red Hat will cease
providing security updates for these releases. If you have a Red Hat Linux
system exposed to the net, you should be thinking about how you will keep
it secure once the official updates stop coming. There are a number of
choices available, none of which is perfect:
- Move over to Fedora core. Updates will be available for Fedora Core
releases, but only until the next version comes out. The update
policy for Fedora also differs from that of Red Hat Linux; rather than
backport fixes to the version of the affected program which was
originally distributed, Fedora will simply move to the current
version. That change will make security updates potentially more
disruptive. Updating the full system to a new Fedora Core release
twice a year may not be a viable option for many applications.
- Switch to a Red Hat Enterprise Linux release. RHEL will offer
long-term support and relative stability; all you have to do is pay
the price. Given that (as reported on
News.com) over 90% of RHEL customers are renewing their subscriptions,
it would appear that Red Hat is offering services with a real value.
Not everybody will be willing or able to pay that price tag, however.
- Switch to another distribution entirely. The nice thing about Linux
is that you can switch to another vendor when the need arises.
That still does not imply that changing distributions is a fun or easy
- Maintain security-critical packages in-house, from source. This
approach would work, assuming there is somebody with enough technical
expertise available who can also find the time to do that sort of
Red Hat Linux users are lucky; users of a proprietary system would not have
such a wealth of choices available to them. Even so, these users can be
forgiven for occasionally wishing that a "go on as if nothing had changed"
option existed as well.
That could yet happen. The Fedora Legacy Project is
forming with the goal of supporting Red Hat Linux and Fedora Core releases
past their official end of life. This project is still in its
organizational stages (the inevitable press release is still in
draft form) but its volunteers intend to start producing security
updates for (at least) Red Hat Linux 7.3 by the beginning of 2004, when
support for that release ends. Whether support for the 8.0 release will be
offered remains unclear; it depends on whether volunteers show up to
produce the updates. There are plans to support Red Hat Linux 9,
Continuing to use a deployed Red Hat Linux system with the expectation that
the Fedora Legacy Project will supply security updates is a bit of a risky
option. The project is new and still organizing; there is no way to know
whether it will put together the necessary mass of sufficiently talented and
motivated engineers to produce reliable security updates in a timely
manner. There is no doubt that a volunteer project can perform this
sort of task with high-quality results, however, and there should be enough
deployed Red Hat Linux systems to motivate a large pool of potential
to post comments)