|
|
Subscribe / Log in / New account

Red Hat cutting back RHEL source availability

Red Hat cutting back RHEL source availability

Posted Jun 22, 2023 18:54 UTC (Thu) by clump (subscriber, #27801)
In reply to: Red Hat cutting back RHEL source availability by ju3Ceemi
Parent article: Red Hat cutting back RHEL source availability

Distributions like RHEL and Debian may ship older versions of software. When security issues arise, maintainers may backport fixes or upgrade to newer versions.

More information for RHEL can be found here: https://access.redhat.com/security/updates/backporting

to post comments

Red Hat cutting back RHEL source availability

Posted Jun 22, 2023 19:19 UTC (Thu) by ju3Ceemi (subscriber, #102464) [Link] (1 responses)

Yes, yes, that's a nice story

On the other hand, let's have this other nice story
You have rhel 6, supported up to 2020, released in 2010 with openssl 1.0.0

TLS 1.2 has been added to openssl 1.0.1 in 2012

Question: in 2020, on my fully supported rhel 6 server, do I:
- use TLS 1.1, because that's all I can get and I am insecure
- use TLS 1.2, because redhat backported the whole TLS 1.2 implementation

Answer:
None
openssl was upgraded from 1.0.0 to 1.0.1 somewhen

So you started with a specific version, and upgraded to another
Basically, you could've just upgraded to the next release ..
Yes, I know that this "is just a library"

Yet if you have a very sensitive system, upgrading just that library means running the full qualification procedure

Anyway
From my personnal experience in compagnies, 10-years support is very great because people can just fire some stuff and move on
Said stuff will rot in place, never to be touch in many years, but that is not my problem so I do not care
And then you come, consider said system, consider that everybody who worked with that thing left years ago
And you cry alone in the dark

3-years support is far better from a security perspective, because it is a reason to keep taking care of stuff: manager will give you time, security teams will prioritize etc
And when systems are kept sane all the time, as when you clean your house, so job is simple and easy
Whereas when you leave the dirt for year, good luck cleaning the mess ...

Security is nothing but psychology.

Red Hat cutting back RHEL source availability

Posted Jun 22, 2023 20:37 UTC (Thu) by clump (subscriber, #27801) [Link]

OpenSSL is a good example of what we're talking about. The answer to your question is to update the package and TLS version. See: https://access.redhat.com/articles/1462223

Ten+ year security doesn't make software less secure, quite the opposite. You can still upgrade to a new version of RHEL every two or three years. My experience is that organizations don't care as much about operating system versions as they do about the versions of the applications and languages they're running. In those cases, they're often providing their own OpenSSL or Java or Python.You might upgrade the OS every couple of years, but you're constantly upgrading your applications.

Too many of my customers *only* care about their applications. They don't think much about the underlying operating system. That's among my customers that self-manage. Many of my customers are running toward cloud services as fast as possible.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds