Hi Richard, > I have no doubts that it would be fairly easy to > create enough value added for a premium service that anyone with $ could > not live without. The question is just how many of these people are > there? Indeed, that seems to be the main question. And the way it looks right now, the answer to that is _1_ (you). Maybe I made the mistake of not telling people on this list what kind of charge we were thinking about (I _really_ didn't want to misuse this list as a marketing media for something my company might offer, which is why I didn't go into detail). What we had in mind was something between $50 and $100 per year (depending on how many people were interested) - but since nobody at all showed any interest, I guess the average leaf userbase simply doesn't need such service (I can't see any other reason why nobody even mailed to find out what the charge might be). That's ok with me (I have enough things on my hands at the moment anyway), but I guess this means that despite the fact that leaf (Bering uClibc in particular, but also the other flavours of leaf) offers some "enterprise grade" features, it is mainly used by home users and hobbyists, who don't need such kind of servie.
> To put it another way, how many LEAF firewalls are deployed in > production by companies or other NGO's? Well, I was wondering about that myself. Apparently not too many - or at least, not too many that aren't taken care of by a competent administrator who can take care of security updates himself/herself. Or maybe (and looking at the recent months, that's actually not too unlikely), the "best effort" service provided by the maintainers of the various leaf distributions is simply good enough (especially for those people who don't need to answer to a manager who doesn't understand anything about open source, but only understands SLAs). Usually, despite the fact that it's done on people's spare time, packages with security issues are updated in a _very_ timely manner, so a leaf box is rarely ever exposed to a threat for any extended period of time, without a fix being available (whether the administrators in questions will actually apply that fix is a different matter, of course). > As to the service, I guess you would have to monitor one or more sources > that track security issues and other vulnerabilities in Linux programs > and match them up against what is included in each of one or more uClibc > versions to determine if any updated LRP's need to be created and > disseminated. Well, that part is already done by several people, myself being one of them (I only know about the Bering uClibc crew of course, but I know that several people are monitoring several security related lists). To me, when one publishes a leaf package, one also has the responsibility of making sure that the latest version one is offering has no known security exploits (within reason, I guess - there are times when the "fix" to the exploit will simply not compile in a leaf build environment, in which cases it will most likely take a bit longer until a fixed package is released). The only difference a "commercial service" might have brought would have been some sort of "assured response time", since within a company, it would have been possible to take care of people being on vacation (it's amazing, but whenever an OpenSSH/OpenSSL exploit is published, you can pretty much guarantee that I [currently the maintainer of those packages] am on vacation, or completely tied up with something else...), people calling in sick and so on, and still make sure the service is being offered uninterruptedly. > This service could also include notices of issues that may not require a > new LRP but may have to do with configuration settings that may be > insecure or cause issues. Indeed - but usually, such an advisory also comes with an updated package, that fixes the vulnerability of the package, even with that special configuration setting. But either way, such a "security-announce" list would have included both kinds of security issues (well, within reason - if somebody decides to "configure" his box to have no iptables rules at all, install samba, bind and who knows what else, and use weak passwords, no update service in the world would be able to help. I guess that's where outsourcing administration of routers/firewalls would come in - which definately isn't something I was thinking of offering ;-)) > Can anyone else out there respond with their interest???? I guess not. If you're still interested, please contact me off-list, and maybe we can work something out (I/my company are not out to make a fortune on this)- but the way it looks to me right now, there's just no demand whatsoever for that kind of service within the leaf community. Martin ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
