|
|
Subscribe / Log in / New account

Red Hat cutting back RHEL source availability

Red Hat cutting back RHEL source availability

Posted Jun 21, 2023 20:17 UTC (Wed) by pgarciaq (subscriber, #153687)
In reply to: Red Hat cutting back RHEL source availability by ju3Ceemi
Parent article: Red Hat cutting back RHEL source availability

In which sane world do you run a ten-year old libssl? In which sane world do you use a ten-year old screen?

In essentially any enterprise environment, actually.

to post comments

Red Hat cutting back RHEL source availability

Posted Jun 21, 2023 20:21 UTC (Wed) by ju3Ceemi (subscriber, #102464) [Link] (4 responses)

Those same environnement that closes for two month after a cyberattack ?
I don't know, I've work for many compagnies and never met such choices with succesful outcome: it was always a failure

Red Hat cutting back RHEL source availability

Posted Jun 22, 2023 18:54 UTC (Thu) by clump (subscriber, #27801) [Link] (2 responses)

Distributions like RHEL and Debian may ship older versions of software. When security issues arise, maintainers may backport fixes or upgrade to newer versions.

More information for RHEL can be found here: https://access.redhat.com/security/updates/backporting

Red Hat cutting back RHEL source availability

Posted Jun 22, 2023 19:19 UTC (Thu) by ju3Ceemi (subscriber, #102464) [Link] (1 responses)

Yes, yes, that's a nice story

On the other hand, let's have this other nice story
You have rhel 6, supported up to 2020, released in 2010 with openssl 1.0.0

TLS 1.2 has been added to openssl 1.0.1 in 2012

Question: in 2020, on my fully supported rhel 6 server, do I:
- use TLS 1.1, because that's all I can get and I am insecure
- use TLS 1.2, because redhat backported the whole TLS 1.2 implementation

Answer:
None
openssl was upgraded from 1.0.0 to 1.0.1 somewhen

So you started with a specific version, and upgraded to another
Basically, you could've just upgraded to the next release ..
Yes, I know that this "is just a library"

Yet if you have a very sensitive system, upgrading just that library means running the full qualification procedure

Anyway
From my personnal experience in compagnies, 10-years support is very great because people can just fire some stuff and move on
Said stuff will rot in place, never to be touch in many years, but that is not my problem so I do not care
And then you come, consider said system, consider that everybody who worked with that thing left years ago
And you cry alone in the dark

3-years support is far better from a security perspective, because it is a reason to keep taking care of stuff: manager will give you time, security teams will prioritize etc
And when systems are kept sane all the time, as when you clean your house, so job is simple and easy
Whereas when you leave the dirt for year, good luck cleaning the mess ...

Security is nothing but psychology.

Red Hat cutting back RHEL source availability

Posted Jun 22, 2023 20:37 UTC (Thu) by clump (subscriber, #27801) [Link]

OpenSSL is a good example of what we're talking about. The answer to your question is to update the package and TLS version. See: https://access.redhat.com/articles/1462223

Ten+ year security doesn't make software less secure, quite the opposite. You can still upgrade to a new version of RHEL every two or three years. My experience is that organizations don't care as much about operating system versions as they do about the versions of the applications and languages they're running. In those cases, they're often providing their own OpenSSL or Java or Python.You might upgrade the OS every couple of years, but you're constantly upgrading your applications.

Too many of my customers *only* care about their applications. They don't think much about the underlying operating system. That's among my customers that self-manage. Many of my customers are running toward cloud services as fast as possible.

Red Hat cutting back RHEL source availability

Posted Jun 23, 2023 13:40 UTC (Fri) by Freecoffee (guest, #165758) [Link]

From the security perspective new is not always better, and the work RHEL does is epic at this point.

There was a time in computing when everything could be free/semi free and open but all that leads to now is lack of viability and longevity of the work.

If anyone has not noticed the billion hours of coding in flash sites that evaporated from the internet.

I have worked in development for companies and the honest truth is no one can afford to direct resources to perfection and recreating the wheel.
Yes ivey grows over entire areas of apps and buisness processes and in a perfect world there would be maintenance but that is not any company I have ever worked for.

On a side note the cloud is great until you need to have stable costs. It does not give an operation a lot of leverage in negotiation when you are dependant on the cloud for your buisness infrastructure. No asset model what could go wrong.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds