Re: Concerns with Open/OS Corporate Linux ads?
Henning Makholm wrote: > As a random data point, take DSA-1116 (a buffer overrun with no known > exploit, in a quite popular piece of desktop software), where I happen > to have a timeline: > > July 1 - reported privately to security team, with patch > July 6 - bug goes public through upstream's BTS, Debian bug filed > July 7 - upstream releases fixed version > July 7 - fixed in NMU to unstable > July 13 - bug reaches front of security team's attention queue. > DSA and update to sarge prepared, but is stalled by some > buildd problem on a minor architecture. > July 18 - fix propagates from unstable to testing > July 21 - fixed in sarge, DSA released You know that's not actually that bad. Significantly better than before the security team. Way better than Microsoft! > It is not my point to criticize the security team; I have no reason to > think they are not doing an absolutely fantastic job within the > externally-imposed constraints of volunteer work, unstable supplies of > free time in which to do the work, donated autobuilder machines spread > around the world and run by a different set of volunteers, and so on > and so forth. > > But it is also clear that a business which makes it a strategic > priority to compete on the timeliness of security updates *could* well > provide some real value over our stable and testing suites here, even > - as in this case - when we have a 5-day head start. Whether the > company in question *is* actually such a business or it is just making > empty promises, can of course not be discerned just by reading their > ad. -- Nathanael Nerode <[EMAIL PROTECTED]> Bush admitted to violating FISA and said he was proud of it. So why isn't he in prison yet?... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Concerns with Open/OS Corporate Linux ads?
martin f krafft wrote: > and that they add support and maintenance, which adds the features > > - reliable release cycle > - newest packages > - security team > - security administration Their latest security update is from February... Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Concerns with Open/OS Corporate Linux ads?
martin f krafft <[EMAIL PROTECTED]> wrote: > I am holding in my hands the 09/06 copy of the German Linux Magazin, > and on page 76, opensourcefactory.com has advertised Open/OS > Corporate Linux [0], which apparently makes Debian "mature". [...] > I'd be interested in what people think. Am I just overreacting? I think it's a legitimate concern and you should move constructively to address it in the forum(s) it appeared. > Should we do anything about this? If so, what? As a first step, send an open letter 'Debian Developer to Open/OS - are you mature enough to help debian?' suggesting how they could use their stated features to help the project, if they are anything more than a childish scalper who takes resources from the commons without giving anything back. At a basic level, how much of the EUR 249 do they contribute back to the project, on average, directly or in kind? You may also like to challenge their less clear claims, such as: - who is their jahrelangem Debian Know-How (German: all your language are belong to us) and how hochqualifizertem are they? - do the Regression-Tests in their Umfangreiche Testverfahren cover all web servers, all mail servers and so on, or does Open/OS give users less choice if they want the testing? - just how fest is their Reaktionszeiten? Just some ideas, -- MJ Ray - see http://mjr.towers.org.uk/email.html North End, Lynn, Norfolk, England Work: http://www.ttllp.co.uk/ IRC/Jabber/SIP: on request -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Reduce security release latency - Re: Concerns with Open/OS Corporate Linux ads?
On Wed, 30 Aug 2006, Alexander Sack wrote: > Of course, we don't want to have 2nd class architectures, but waiting > for architectures to finish that are used "only" by a minority looks > flawed either. Especially if there is a buildd breakage involved. Zero tolerance for buildd breakage should be a norm for security updates IMHO. Even if it is the ia32, ppc or amd64 buildd. I don't mean "let's not even wait for ", although it would make a great deal of sense to me to have a wait window of no more than 8 hours for the _security_ buildds. What I do mean is: "if it doesn't build right away, and it looks like a buildd issue (and not a problem with the package), we don't wait for it to build at all, and push the updates as they become available". -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Concerns with Open/OS Corporate Linux ads?
also sprach Ottavio Caruso <[EMAIL PROTECTED]> [2006.08.30.1048 +0100]: > I can't see the 'Debian of full age' thing, I am not > very fluent in German but I can't see any reference to > this statement. The title: "Debian volljährig!" -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck http://debiansystem.info `- Debian - when you have better things to do than fixing systems "ist gott eine erfindung des teufels?" - friedrich nietzsche signature.asc Description: Digital signature (GPG/PGP)
Re: Concerns with Open/OS Corporate Linux ads?
martin f krafft wrote: > > and since their ad is entitled "Debian of full age", it kind of > suggests that Debian per se is immature, a child, an assertion I'd > strongly oppose. I can't see the 'Debian of full age' thing, I am not very fluent in German but I can't see any reference to this statement. As far as I understand they stress the concept of Debian=stability, in this regard I think they are presenting Debian in a very good light. I can't see any hint on Debian being immature, either. If they did, they'd sound ridiculous, as Debian is often criticized for being 'geriatrically' mature, an assertion that I can understand but oppose. Ottavio Ottavio Caruso -- Please follow up to mailing list! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Concerns with Open/OS Corporate Linux ads?
also sprach Paul Johnson <[EMAIL PROTECTED]> [2006.08.30.0236 +0100]: > Perhaps ask them kindly to either contribute their work back to > Debian, or stop using "Debian" in their advertising and packaging. This is what I was thinking about. However, is it what we want? After all, I think we *want* them to state they are based on Debian in such a prominent way, just not make the comparisons look as if Debian couldn't stand on its own feet. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck http://debiansystem.info `- Debian - when you have better things to do than fixing systems "every day is long. 86400 doesn't fit in a short." signature.asc Description: Digital signature (GPG/PGP)
Reduce security release latency - Re: Concerns with Open/OS Corporate Linux ads?
On Tue, Aug 29, 2006 at 11:58:16PM +0200, martin f krafft wrote: > also sprach Henning Makholm <[EMAIL PROTECTED]> [2006.08.29.2310 +0200]: > > We also shouldn't fool ourselves into thinking that a commercial > > repackager with a real dedication to security support (say, by hiring > > a handful of full-time employees to keep it current, and also by > > restricting their attention to one or a few architectures) could not > > beat _our_ overworked, underpaid (etc) security team. > > Of course not. Yet I still thought their ad makes it look like we > don't have anything... > > > July 6 - bug goes public through upstream's BTS, Debian bug filed > > July 21 - fixed in sarge, DSA released > > I know this is a ridiculous time span, but it's better than nothing. > IMO it would be good to think about reducing average security release latency by rolling them out as soon as packages have finished to build on all "major" architectures (>95% of our user base) ... and then push fixed packages for "minor" architectures as soon as they become available. Of course, we don't want to have 2nd class architectures, but waiting for architectures to finish that are used "only" by a minority looks flawed either. Especially if there is a buildd breakage involved. I know its a difficult question, but at least for large packages the latency could certainly be reduced significantly. Is there room for such kind of improvement within the bounds of our premisses? - Alexander -- GPG messages preferred.| .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal [EMAIL PROTECTED]| `. `' Operating System http://www.asoftsite.org/ | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Concerns with Open/OS Corporate Linux ads?
Henning Makholm wrote: > Scripsit martin f krafft <[EMAIL PROTECTED]> > > also sprach Henning Makholm <[EMAIL PROTECTED]> [2006.08.29.2310 +0200]: > > >> July 6 - bug goes public through upstream's BTS, Debian bug filed > >> July 21 - fixed in sarge, DSA released > > > I know this is a ridiculous time span, but it's better than nothing. > > Certainly it's better than nothing. My point was merely that there is > plenty of window for opensourcefactory.com to do _better_, and if they > actually manage to, they do get the moral right to brag about it. The question is: Do they? Regards, Joey -- Have you ever noticed that "General Public Licence" contains the word "Pub"? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Concerns with Open/OS Corporate Linux ads?
On Tue, Aug 29, 2006 at 07:17:39PM +0200, martin f krafft wrote: > I am holding in my hands the 09/06 copy of the German Linux Magazin, > and on page 76, opensourcefactory.com has advertised Open/OS > Corporate Linux [0], which apparently makes Debian "mature". > While I applaud their efforts and I think it's exceptionally great > how they are open about Debian forming the basis of their product > (!), the ad also leaves a weird aftertaste, > and since their ad is entitled "Debian of full age", it kind of > suggests that Debian per se is immature, a child, an assertion I'd > strongly oppose. > I'd be interested in what people think. Am I just overreacting? Martin, this is an *ad*. Ads lie, as long as it cannot be unambiguously proven they lied. -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Concerns with Open/OS Corporate Linux ads?
* martin f krafft [Tue, 29 Aug 2006 19:17:39 +0200]: > Then they go on to state that Debian is > - reliable > - secure > - upgradeable > - integrateable > - preconfigured > - remotely administratable > and that they add support and maintenance, which adds the features > - reliable release cycle > - newest packages > - security team > - preselected packages > - security administration > - certification > - software tests > I'd be interested in what people think. Am I just overreacting? I think you're reacting in the wrong direction (or at least, in the wrong direction for a *first* reaction.) With this I mean that, if Debian initiates contact with this entity, I'd like for it to be to mention that, if they're interested, they can contact DPL-delegated Project Member Joe to work out and discuss possible ways to have some of their work go back to Debian. (See below) I'd offer myself, but while I know the Debian side well, I'm quite unfamiliar with the enterprise environment. I'd be happy to act as an assistant of the delegated person, should anybody step. :-) * * * Having their work go back to Debian may sound impossible to you if you think of "straightaway", but it should be workable. To mention a couple ideas: * release the backports they produce ("newest packages") after a while; eg. release backport for AppFrog X.Y.Z right after they've made X.Y.Z+1 available to their clients; or X.Y+1.0; or X+1.0.0. * allow the staff that prepares security updates for them, to spend 1 out of each X working hours preparing a patch for a vulnerability present in a stable package they don't support, coordinating with the Security Team as to not duplicate effort. Cheers, -- Adeodato Simó dato at net.com.org.es Debian Developer adeodato at debian.org «Ara que ets la meva dona, te la fotré fins a la melsa, bacona!» -- Terenci Moix, “Chulas y famosas” signature.asc Description: Digital signature
Re: Concerns with Open/OS Corporate Linux ads?
On Tuesday 29 August 2006 10:17, martin f krafft wrote: > I'd be interested in what people think. Am I just overreacting? Ironically, suggesting Debian is immature is in itself childish, especially to pitch a product with zero track record to date. That aside, they give the impression that they're just doing a cut-and-run on the process instead of being part of the cure. > Should we do anything about this? If so, what? Perhaps ask them kindly to either contribute their work back to Debian, or stop using "Debian" in their advertising and packaging. -- Paul Johnson Email and IM (XMPP & Google Talk): [EMAIL PROTECTED] pgpS9zbCdKDsD.pgp Description: PGP signature
Re: Concerns with Open/OS Corporate Linux ads?
Scripsit martin f krafft <[EMAIL PROTECTED]> > also sprach Henning Makholm <[EMAIL PROTECTED]> [2006.08.29.2310 +0200]: >> July 6 - bug goes public through upstream's BTS, Debian bug filed >> July 21 - fixed in sarge, DSA released > I know this is a ridiculous time span, but it's better than nothing. Certainly it's better than nothing. My point was merely that there is plenty of window for opensourcefactory.com to do _better_, and if they actually manage to, they do get the moral right to brag about it. -- Henning Makholm "Al lykken er i ét ord: Overvægtig!"
Re: Concerns with Open/OS Corporate Linux ads?
also sprach Henning Makholm <[EMAIL PROTECTED]> [2006.08.29.2310 +0200]: > We also shouldn't fool ourselves into thinking that a commercial > repackager with a real dedication to security support (say, by hiring > a handful of full-time employees to keep it current, and also by > restricting their attention to one or a few architectures) could not > beat _our_ overworked, underpaid (etc) security team. Of course not. Yet I still thought their ad makes it look like we don't have anything... > July 6 - bug goes public through upstream's BTS, Debian bug filed > July 21 - fixed in sarge, DSA released I know this is a ridiculous time span, but it's better than nothing. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck http://debiansystem.info `- Debian - when you have better things to do than fixing systems "a man who does not realise that he is half an animal is only half a man." -- thornton wilder signature.asc Description: Digital signature (GPG/PGP)
Re: Concerns with Open/OS Corporate Linux ads?
Scripsit Benjamin Mesing <[EMAIL PROTECTED]> >> - we have our own security team > That isn't negated by their add, in fact they state that Debian is > secure. And Debian has lacked security support for new software for a > long time (I believe testing is supported now). We also shouldn't fool ourselves into thinking that a commercial repackager with a real dedication to security support (say, by hiring a handful of full-time employees to keep it current, and also by restricting their attention to one or a few architectures) could not beat _our_ overworked, underpaid (etc) security team. As a random data point, take DSA-1116 (a buffer overrun with no known exploit, in a quite popular piece of desktop software), where I happen to have a timeline: July 1 - reported privately to security team, with patch July 6 - bug goes public through upstream's BTS, Debian bug filed July 7 - upstream releases fixed version July 7 - fixed in NMU to unstable July 13 - bug reaches front of security team's attention queue. DSA and update to sarge prepared, but is stalled by some buildd problem on a minor architecture. July 18 - fix propagates from unstable to testing July 21 - fixed in sarge, DSA released It is not my point to criticize the security team; I have no reason to think they are not doing an absolutely fantastic job within the externally-imposed constraints of volunteer work, unstable supplies of free time in which to do the work, donated autobuilder machines spread around the world and run by a different set of volunteers, and so on and so forth. But it is also clear that a business which makes it a strategic priority to compete on the timeliness of security updates *could* well provide some real value over our stable and testing suites here, even - as in this case - when we have a 5-day head start. Whether the company in question *is* actually such a business or it is just making empty promises, can of course not be discerned just by reading their ad. > I do not think that Debian as a whole should take action, but you could > sent an email to them and tell them that they've hurt your feelings (and > you, as opposed to me, form a part of Debian). But please take care to express that it is an individual that you complain, rather than as a representative of Debian as such. -- Henning Makholm "Jeg har tydeligt gjort opmærksom på, at man ved at følge den vej kun bliver gennemsnitligt ca. 48 år gammel, og at man sætter sin sociale situation ganske overstyr og, så vidt jeg kan overskue, dør i dybeste ulykkelighed og elendighed."
Re: Concerns with Open/OS Corporate Linux ads?
Hello, > And Debian has lacked security support for new software for a > long time (I believe testing is supported now). What I meant to say here is, that testing with the latest relatively stable software in it, had no security support in the past. > > and since their ad is entitled "Debian of full age", it kind of > > suggests that Debian per se is immature, a child, an assertion I'd > > strongly oppose. > Well, I would be to hard on that. Being young does also have its > benefits :-) Of course that should read would _not_. -- Please do not send any email to [EMAIL PROTECTED] -- all email not originating from the mailing list will be deleted. Use the reply to address instead. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Concerns with Open/OS Corporate Linux ads?
Hello, > It calls our distro "reliable and secure" and states that they add > "maturity and corporate readiness". Then they go on to state that > Debian is > > - reliable > - secure > - upgradeable > - integrateable > - preconfigured > - remotely administratable > > and that they add support and maintenance, which adds the features > > - reliable release cycle > - newest packages > - security team > - preselected packages > - security administration > - certification > - software tests [..] > - we have our own security team That isn't negated by their add, in fact they state that Debian is secure. And Debian has lacked security support for new software for a long time (I believe testing is supported now). > - we have preselected packages (tasks) Well, but they probably have others, focused on the business domain. > - we are definitely ready for the business world > (I know what they mean, I guess) I would debate that. Sometimes companies simply need to pay money for a product to have someone to blame. Debian is volunteer driven, and thus noone can be put under any real pressure. For companies it is sometimes better to pay for the service and thus have someone who is responsible for that. In fact I would see the security team statement in that light, they provide security support for money and thus probably guarantee that updates are prepared in a certain time frame. > and since their ad is entitled "Debian of full age", it kind of > suggests that Debian per se is immature, a child, an assertion I'd > strongly oppose. Well, I would be to hard on that. Being young does also have its benefits :-) > Should we do anything about this? If so, what? I do not think that Debian as a whole should take action, but you could sent an email to them and tell them that they've hurt your feelings (and you, as opposed to me, form a part of Debian). Perhaps they'll act on your criticism. Best regards Ben -- Please do not send any email to [EMAIL PROTECTED] -- all email not originating from the mailing list will be deleted. Use the reply to address instead. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Concerns with Open/OS Corporate Linux ads?
Hi, I am holding in my hands the 09/06 copy of the German Linux Magazin, and on page 76, opensourcefactory.com has advertised Open/OS Corporate Linux [0], which apparently makes Debian "mature". 0. http://www.open-os.com/cms/index.php?page=Home It calls our distro "reliable and secure" and states that they add "maturity and corporate readiness". Then they go on to state that Debian is - reliable - secure - upgradeable - integrateable - preconfigured - remotely administratable and that they add support and maintenance, which adds the features - reliable release cycle - newest packages - security team - preselected packages - security administration - certification - software tests the result is Open/OS Corporate Linux, which is thus - stable - secure - business-oriented While I applaud their efforts and I think it's exceptionally great how they are open about Debian forming the basis of their product (!), the ad also leaves a weird aftertaste, specifically because - we have our own security team - we have preselected packages (tasks) - we are definitely ready for the business world (I know what they mean, I guess) and since their ad is entitled "Debian of full age", it kind of suggests that Debian per se is immature, a child, an assertion I'd strongly oppose. I'd be interested in what people think. Am I just overreacting? Should we do anything about this? If so, what? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck http://debiansystem.info `- Debian - when you have better things to do than fixing systems if loving linux is wrong, i don't want to be right. signature.asc Description: Digital signature (GPG/PGP)