Re: Any 7 rumors?
On 16/05/14 07:28, Connie Sieh wrote: On Thu, 15 May 2014, Dag Wieers wrote: On Tue, 8 Apr 2014, ToddAndMargo wrote: Any rumors as to when EL 7 will be out? There was an announcement today from Red Hat about a virtual event named Redefining the Enterprise OS at June 10. The content seems to be centered around RHEL7 features and functionality, so there is a big chance that this is around the time RHEL7 goes GA. I can only find this link online from a tweet: http://buff.ly/1uwrDQw Beware that even when RHEL7 goes GA in June, I wouldn't put it into production until RHEL7.1, possibly RHEL7.2 (about a year later) after rigorous testing and integration. (Likely depends on your use-case though) The RHEL 7 Public Release Candidate has been out since April 21. Our complete guess is June or early July. So This redefining the OS sounds probable. Only guessing . On this topic, has there been any further information / discussion about if / when / how Scientific Linux will progress? I'm just about happy to head in from day #1 of builds being available... I have some systems on Arch Linux now due to various factors that I'd like to migrate to EL7 when it comes along. It can't really break much more than when an Arch update goes wrong ;) -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: Any 7 rumors?
On Fri, May 16, 2014 at 8:09 PM, ToddAndMargo toddandma...@zoho.com wrote: Any rumors on if the upgrade tool will be ready to go with 7? https://github.com/dashea/redhat-upgrade-tool FedUp for Fedora works really well. Fedora does not have as long between releases, and as much serious system reconfiguration between releases, as between SL or the upstream RHEL releases. I'd really encourage doing backups of old systems and rebuilding from scratch, rather than trying to do upgrades in place. Third party packages, in particular, are likely to leave behind mismatched components or configurations that will suck engineering hours to find and clear.
Re: Any 7 rumors?
On 16 May 2014 18:09, ToddAndMargo toddandma...@zoho.com wrote: Any rumors on if the upgrade tool will be ready to go with 7? The following are confirmed rumours[1]. * EL-7 will be launcing a new age of compliance to the RFC with RFC 1149 and RFC 2549 fully supported [2]. * Current work is to make sure it is compliant with RFC 2550 but this is listed as a tech preview. * Also in tech preview, kernel is aware and will respond to RFC3514. * New desktop options have been worked out that will promise 4K on serial terminal. [3] * Upgrades from all other operating systems are now supported. [4] [1] I can confirm that these are rumours. [2] Hardware is up to the owner to put into place. [3] Promise has not been evaluated to be truthful or not. [4] Upgrade is defined as wipe and reinstall. A nickel is given if hardware is not x86_64 compatible in the first place. -- Stephen J Smoogen.
Re: Any 7 rumors?
Because I have gotten 6 emails from people asking me where I am getting these rumours from... it is clear I was a little too dry in the humour. The RFC's are all April 1st ones.. The last one is a combination of a Dilbert joke http://dilbert.com/strips/comic/1995-06-24/ and a truism (if someone defines an upgrade as being wipe and reinstall then any OS can upgrade another one. My apologies for pulling people's legs when it is not April 1st. On 17 May 2014 12:07, Stephen John Smoogen smo...@gmail.com wrote: On 16 May 2014 18:09, ToddAndMargo toddandma...@zoho.com wrote: Any rumors on if the upgrade tool will be ready to go with 7? The following are confirmed rumours[1]. * EL-7 will be launcing a new age of compliance to the RFC with RFC 1149 and RFC 2549 fully supported [2]. * Current work is to make sure it is compliant with RFC 2550 but this is listed as a tech preview. * Also in tech preview, kernel is aware and will respond to RFC3514. * New desktop options have been worked out that will promise 4K on serial terminal. [3] * Upgrades from all other operating systems are now supported. [4] [1] I can confirm that these are rumours. [2] Hardware is up to the owner to put into place. [3] Promise has not been evaluated to be truthful or not. [4] Upgrade is defined as wipe and reinstall. A nickel is given if hardware is not x86_64 compatible in the first place. -- Stephen J Smoogen. -- Stephen J Smoogen.
Re: Any 7 rumors?
Good grief! These guys just cannot leave well enough alone. On the bright side, this will probably extend the end-of-life for RHEL6x. Rpms of updated tools in /usr/local!!! Rant over... On 05/15/2014 07:59 PM, Nico Kadel-Garcia wrote: There are enough significant layout differences, especially the wholesale switch to systemd and the replacement of /bin with a symlink to /usr/bin that it's going to create a lot of cross compatibility and software porting issues. I'm not looking forward to that part. I'm also afraid to see that I've not yet seen a single reason to *want* it, other than updated libraries for third party software such as perl modules.
Re: Any 7 rumors?
Did you just copy/paste that from the RHEL 6 GA and change the version numbers? On Fri, May 16, 2014 at 10:49 AM, Ken Teh t...@anl.gov wrote: Good grief! These guys just cannot leave well enough alone. On the bright side, this will probably extend the end-of-life for RHEL6x. Rpms of updated tools in /usr/local!!! Rant over... On 05/15/2014 07:59 PM, Nico Kadel-Garcia wrote: There are enough significant layout differences, especially the wholesale switch to systemd and the replacement of /bin with a symlink to /usr/bin that it's going to create a lot of cross compatibility and software porting issues. I'm not looking forward to that part. I'm also afraid to see that I've not yet seen a single reason to *want* it, other than updated libraries for third party software such as perl modules. -- Thanks, Jamie Duncan @jamieeduncan
Re: Any 7 rumors?
Isn't it weird that choosing where to install things seems rocket science? (Newbie rants) 2014-05-16 16:53 GMT+02:00 Jamie Duncan jamie.e.dun...@gmail.com: Did you just copy/paste that from the RHEL 6 GA and change the version numbers? On Fri, May 16, 2014 at 10:49 AM, Ken Teh t...@anl.gov wrote: Good grief! These guys just cannot leave well enough alone. On the bright side, this will probably extend the end-of-life for RHEL6x. Rpms of updated tools in /usr/local!!! Rant over... On 05/15/2014 07:59 PM, Nico Kadel-Garcia wrote: There are enough significant layout differences, especially the wholesale switch to systemd and the replacement of /bin with a symlink to /usr/bin that it's going to create a lot of cross compatibility and software porting issues. I'm not looking forward to that part. I'm also afraid to see that I've not yet seen a single reason to *want* it, other than updated libraries for third party software such as perl modules. -- Thanks, Jamie Duncan @jamieeduncan -- Javier Ruiz Aranguren beli...@gmail.com http://es.linkedin.com/in/jruiza
Re: Any 7 rumors?
We have a bunch of new hardware here at Fermilab on which the 2.6.32 series of kernels that come with EL6/SL6 is no longer stable and we are looking for an upstream-supported 3.x kernel. that will hopefully be the big win for us. Steve Timm On Thu, 15 May 2014, Nico Kadel-Garcia wrote: On Thu, May 15, 2014 at 5:28 PM, Connie Sieh cs...@fnal.gov wrote: The RHEL 7 Public Release Candidate has been out since April 21. Our complete guess is June or early July. So This redefining the OS sounds probable. Only guessing . There are enough significant layout differences, especially the wholesale switch to systemd and the replacement of /bin with a symlink to /usr/bin that it's going to create a lot of cross compatibility and software porting issues. I'm not looking forward to that part. I'm also afraid to see that I've not yet seen a single reason to *want* it, other than updated libraries for third party software such as perl modules. -- Steven C. Timm, Ph.D (630) 840-8525 t...@fnal.gov http://home.fnal.gov/~timm/ Fermilab Scientific Computing Division, Scientific Computing Services Quad. Grid and Cloud Services Dept., Associate Dept. Head for Cloud Computing
Re: Any 7 rumors?
On Thu, 15 May 2014, Connie Sieh wrote: On Thu, 15 May 2014, Dag Wieers wrote: On Tue, 8 Apr 2014, ToddAndMargo wrote: Any rumors as to when EL 7 will be out? There was an announcement today from Red Hat about a virtual event named Redefining the Enterprise OS at June 10. The content seems to be centered around RHEL7 features and functionality, so there is a big chance that this is around the time RHEL7 goes GA. The RHEL 7 Public Release Candidate has been out since April 21. Our complete guess is June or early July. So This redefining the OS sounds probable. Only guessing . Adding some more guesswork, if they would plan a virtual event around the time RHEL7 is released, my take is that the golden release is ready now (or at least not being delayed for any blocking issues). So any required changes after this date would be released as updates. We can start placing bets and then verify who won at GA time ;-) -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, cont...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Any 7 rumors?
- Original Message - From: Dag Wieers d...@wieers.com To: Connie Sieh cs...@fnal.gov Cc: SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV Sent: Friday, 16 May 2014, 17:03 Subject: Re: Any 7 rumors? On Thu, 15 May 2014, Connie Sieh wrote: On Thu, 15 May 2014, Dag Wieers wrote: On Tue, 8 Apr 2014, ToddAndMargo wrote: Any rumors as to when EL 7 will be out? There was an announcement today from Red Hat about a virtual event named Redefining the Enterprise OS at June 10. The content seems to be centered around RHEL7 features and functionality, so there is a big chance that this is around the time RHEL7 goes GA. The RHEL 7 Public Release Candidate has been out since April 21. Our complete guess is June or early July. So This redefining the OS sounds probable. Only guessing . Adding some more guesswork, if they would plan a virtual event around the time RHEL7 is released, my take is that the golden release is ready now (or at least not being delayed for any blocking issues). So any required changes after this date would be released as updates. There is also some real life Red Hat Forum events around the time of the virtual event you mentioned. RHEL 7 seems to feature highly on the agenda (along with OpenStack, etc.) http://www.redhat-forum.com/en/home We can start placing bets and then verify who won at GA time ;-) -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, cont...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Any 7 rumors?
On 05/16/2014 09:54 AM, Ian Murray wrote: - Original Message - From: Dag Wieers d...@wieers.com To: Connie Sieh cs...@fnal.gov Cc: SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV Sent: Friday, 16 May 2014, 17:03 Subject: Re: Any 7 rumors? On Thu, 15 May 2014, Connie Sieh wrote: On Thu, 15 May 2014, Dag Wieers wrote: On Tue, 8 Apr 2014, ToddAndMargo wrote: Any rumors as to when EL 7 will be out? There was an announcement today from Red Hat about a virtual event named Redefining the Enterprise OS at June 10. The content seems to be centered around RHEL7 features and functionality, so there is a big chance that this is around the time RHEL7 goes GA. The RHEL 7 Public Release Candidate has been out since April 21. Our complete guess is June or early July. So This redefining the OS sounds probable. Only guessing . Adding some more guesswork, if they would plan a virtual event around the time RHEL7 is released, my take is that the golden release is ready now (or at least not being delayed for any blocking issues). So any required changes after this date would be released as updates. There is also some real life Red Hat Forum events around the time of the virtual event you mentioned. RHEL 7 seems to feature highly on the agenda (along with OpenStack, etc.) http://www.redhat-forum.com/en/home We can start placing bets and then verify who won at GA time ;-) -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, cont...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors] Any rumors on if the upgrade tool will be ready to go with 7? https://github.com/dashea/redhat-upgrade-tool FedUp for Fedora works really well. -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
On Tue, 8 Apr 2014, ToddAndMargo wrote: Any rumors as to when EL 7 will be out? There was an announcement today from Red Hat about a virtual event named Redefining the Enterprise OS at June 10. The content seems to be centered around RHEL7 features and functionality, so there is a big chance that this is around the time RHEL7 goes GA. I can only find this link online from a tweet: http://buff.ly/1uwrDQw Beware that even when RHEL7 goes GA in June, I wouldn't put it into production until RHEL7.1, possibly RHEL7.2 (about a year later) after rigorous testing and integration. (Likely depends on your use-case though) -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, cont...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]
Re: Any 7 rumors?
On Thu, 15 May 2014, Dag Wieers wrote: On Tue, 8 Apr 2014, ToddAndMargo wrote: Any rumors as to when EL 7 will be out? There was an announcement today from Red Hat about a virtual event named Redefining the Enterprise OS at June 10. The content seems to be centered around RHEL7 features and functionality, so there is a big chance that this is around the time RHEL7 goes GA. I can only find this link online from a tweet: http://buff.ly/1uwrDQw Beware that even when RHEL7 goes GA in June, I wouldn't put it into production until RHEL7.1, possibly RHEL7.2 (about a year later) after rigorous testing and integration. (Likely depends on your use-case though) The RHEL 7 Public Release Candidate has been out since April 21. Our complete guess is June or early July. So This redefining the OS sounds probable. Only guessing . -connie
Re: Any 7 rumors?
On Thu, May 15, 2014 at 5:28 PM, Connie Sieh cs...@fnal.gov wrote: The RHEL 7 Public Release Candidate has been out since April 21. Our complete guess is June or early July. So This redefining the OS sounds probable. Only guessing . There are enough significant layout differences, especially the wholesale switch to systemd and the replacement of /bin with a symlink to /usr/bin that it's going to create a lot of cross compatibility and software porting issues. I'm not looking forward to that part. I'm also afraid to see that I've not yet seen a single reason to *want* it, other than updated libraries for third party software such as perl modules.
Re: Any 7 rumors?
On 04/08/2014 07:14 PM, ToddAndMargo wrote: Hi All, I have a customer who is going to have to upgrade a whole pail of stuff for PCI compliance (credit card security). Part of what he is going to have upgrade is his old CentOS 5.x server (it is too underpowered to handle his new software along with the addition drag caused by adding File Integrity Monitoring [FIM] Software). Any rumors as to when EL 7 will be out? Many thanks, -T Spoke with a Red Hat sales a rep on another issue. Asked about 7. Said that they keep telling them soon but won't give any details. -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
The only way you get details on thing like pending release dates from Red Hat is if you sign and NDA and even then its only an estimate not a hard date.Plus since they make you sign an NDA you can't share the info with any one.-- Sent from my HP Pre3On Apr 15, 2014 14:34, ToddAndMargo toddandma...@zoho.com wrote: On 04/08/2014 07:14 PM, ToddAndMargo wrote: Hi All, I have a customer who is going to have to upgrade a whole pail of stuff for PCI compliance (credit card security). Part of what he is going to have upgrade is his old CentOS 5.x server (it is too underpowered to handle his new software along with the addition drag caused by adding File Integrity Monitoring [FIM] Software). Any rumors as to when EL 7 will be out? Many thanks, -T Spoke with a Red Hat sales a rep on another issue. Asked about "7". Said that they keep telling them "soon" but won't give any details. -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
On Tuesday 15 April 2014 15:06:04 ToddAndMargo wrote: On 04/15/2014 02:48 PM, Paul Robert Marino wrote: The only way you get details on thing like pending release dates from Red Hat is if you sign and NDA and even then its only an estimate not a hard date. Plus since they make you sign an NDA you can't share the info with any one. And, plus if you are late and right, the customer will forgive you. But, if you on time and wrong, the customer will never forgive you. But if you're late and wrong, you can become unstoppable.[1] [1] http://www.microsoft.com
Re: Any 7 rumors?
On 04/15/2014 03:19 PM, zxq9 wrote: On Tuesday 15 April 2014 15:06:04 ToddAndMargo wrote: On 04/15/2014 02:48 PM, Paul Robert Marino wrote: The only way you get details on thing like pending release dates from Red Hat is if you sign and NDA and even then its only an estimate not a hard date. Plus since they make you sign an NDA you can't share the info with any one. And, plus if you are late and right, the customer will forgive you. But, if you on time and wrong, the customer will never forgive you. But if you're late and wrong, you can become unstoppable.[1] [1] http://www.microsoft.com Hi zxq9, I see customer after customer that should be on Linux, but can't because they need this or that application that only runs in Windows. Here is what you guys are missing by running Linux. This is yesterday's junkware infection I got to remove: Browser Infrastructure Helper, Browser Safeguard, Media Finder, Optomizer Pro, PC Fix Speed,VT Downloader, Boost-Interprocess, Save Sensititive, Strong Vault, Sys Tweek, Win Cert, My Search Dial, PC Health Kit, Price Gong, Smart Bar, Advanced System Protect, Ask Toolbar, and at this point I got tired of writing them down. And these guys have started to use virus techniques to reinstall themselves. And, oh please don't tell me it is because Linux is obscure. It is because Windows is sloppy. It should prompt for the admin password before installing, like Linux, OSx, iOS. And not default set up a user account with Admin privileges. (That should not be a possibility.) But, if they have to have their stinkin' QuickBooks ... -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
Chill man he was making a joke.-- Sent from my HP Pre3On Apr 15, 2014 18:34, ToddAndMargo toddandma...@zoho.com wrote: On 04/15/2014 03:19 PM, zxq9 wrote: On Tuesday 15 April 2014 15:06:04 ToddAndMargo wrote: On 04/15/2014 02:48 PM, Paul Robert Marino wrote: The only way you get details on thing like pending release dates from Red Hat is if you sign and NDA and even then its only an estimate not a hard date. Plus since they make you sign an NDA you can't share the info with any one. And, plus if you are late and right, the customer will forgive you. But, if you on time and wrong, the customer will never forgive you. But if you're late and wrong, you can become unstoppable.[1] [1] http://www.microsoft.com Hi zxq9, I see customer after customer that should be on Linux, but can't because they need this or that application that only runs in Windows. Here is what you guys are missing by running Linux. This is yesterday's junkware infection I got to remove: Browser Infrastructure Helper, Browser Safeguard, Media Finder, Optomizer Pro, PC Fix Speed,VT Downloader, Boost-Interprocess, Save Sensititive, Strong Vault, Sys Tweek, Win Cert, My Search Dial, PC Health Kit, Price Gong, Smart Bar, Advanced System Protect, Ask Toolbar, and at this point I got tired of writing them down. And these guys have started to use virus techniques to reinstall themselves. And, oh please don't tell me it is because Linux is "obscure". It is because Windows is "sloppy". It should prompt for the admin password before installing, like Linux, OSx, iOS. And not default set up a user account with Admin privileges. (That should not be a possibility.) But, if they have to have their stinkin' QuickBooks ... -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
On 04/15/2014 03:51 PM, Paul Robert Marino wrote: Chill man he was making a joke. I know. I tend to run at the mouth. -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
I agree with you on every point. With the addition of no insurance policy will cover any financial damages if you can't prove "Due Diligence"Further more if its a publicly traded company the board of directors and the stock holder have a right to sue every one with a C(E, I, T, etc)O title for damages if they don't do their "Due Diligence" just for that reason when my company hired a new CIO his first order was he wanted a full security audit of every thing including a full pen test. Let me tell you when you work for a multibillion dollar international corporation with many subsidiaries that's a nightmare but every one understands why he wants it so none of the people coordinating it are complaining.-- Sent from my HP Pre3On Apr 11, 2014 23:54, ToddAndMargo toddandma...@zoho.com wrote: On 04/10/2014 07:45 AM, Paul Robert Marino wrote: Keep in mind PCI compliance is a CYA exersize more than any thing else. Hi Paul, I tell my customers it is not about security, it is about liability shifting. From the card processor to you. That gets their attention. If they can't prove "Due Diligence" they might as well declare bankruptcy. Still, most just blow it off. And it is the Law in this state (Nevada) too. And, I am getting really tired of quoting the SAQs (self assessments questionnaires) to card processors. The one shining light is Pay Pros, who are deadly serious about it. Love working with them. -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
On 04/10/2014 07:45 AM, Paul Robert Marino wrote: Keep in mind PCI compliance is a CYA exersize more than any thing else. Hi Paul, I tell my customers it is not about security, it is about liability shifting. From the card processor to you. That gets their attention. If they can't prove Due Diligence they might as well declare bankruptcy. Still, most just blow it off. And it is the Law in this state (Nevada) too. And, I am getting really tired of quoting the SAQs (self assessments questionnaires) to card processors. The one shining light is Pay Pros, who are deadly serious about it. Love working with them. -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
On Wed, Apr 9, 2014 at 2:11 PM, Stephen John Smoogen smo...@gmail.com wrote: On 9 April 2014 11:17, David Sommerseth sl+us...@lists.topphemmelig.net Really!? I've been involved in a few PCI-DSS certification rounds for a company which provided online payment services back in the days. Granted that's some years ago now (2005 to 2008-ish). Even though our scope was limited to only processing credit card information, we did not see any requirements anywhere at that time for the shopping cart to be PCI-DSS certified. Don't forget the commonplace flat-out lying in PCI-DSS certification. When a company says we have a policy of secure password management, and has a video about how passwords are never known by anyone other than the password owner and are never sent in email, then *turns around and orders you to do so as a matter of standard practice for your entire department*, you know your PCI-DSS certification is not meaningful. This sort of thing is why I spend so much time trying to get Kerberos based account authentication working well for SL based environments. It puts the access control in an environment where a central IT staff, or me, can set sane policies, set accounts safely, never store unencrypted passwords on any server we control, and not rely on someone else's implementation of written policies.
Re: Any 7 rumors?
Well the shopping cart isnt explicitly stated but it is implied and there have been several cases where companies have gotten in trouble for not properly securing the shoping cart data. Keep in mind PCI compliance is a CYA exersize more than any thing else. As far as providing a Gentoo based appliance to your customers in that case you are taking the place of Red Hat in that case you are directly responsible for ensureing the safty of your platform. if you have the staff to do all the testing and integration of security patches. further I actuallly like gentoo as an appliance platform because you can very easilly build a custom stripped to the base minimum appliance. the big trick is to build your own portage servers and create binary packages so your appliancesdont have to compile every update and if possible don't have a compiler installed at all. On Wed, Apr 9, 2014 at 1:17 PM, David Sommerseth sl+us...@lists.topphemmelig.net wrote: On 09/04/14 16:27, Paul Robert Marino wrote: No it was always required because the shopping cart itself may in some cases contain data which could possibly be used to gain access to sensitive customer data. Also in a sense data about who purchases what and where could also be used to mask credit card fraud by making the fraudulent charges look like the normal shopping activities of the card holder. Really!? I've been involved in a few PCI-DSS certification rounds for a company which provided online payment services back in the days. Granted that's some years ago now (2005 to 2008-ish). Even though our scope was limited to only processing credit card information, we did not see any requirements anywhere at that time for the shopping cart to be PCI-DSS certified. In fact one of our sales arguments at that time was that our customers could avoid certifications by implementing our online payment terminal. We even had some discussions with our auditor about this, who gave his blessings to our product. The solution we provided in this case would take care of retrieving the credit card information from the customer, process the payment and just provide a status back to the merchant. Merchants using a payment API for processing payments would in some cases need certification, based on the amount of transactions they had; this I believe has become much stricter since those days. And just to have mentioned it, the solutions we provided was based upon Gentoo(!) servers. We even got very positive feedback for having absolutely minimum installs on our production servers, plus kudos for our maintenance routines. Of course, many of the requirements have most likely changed since then. But I don't recognise the always required in regards to shopping carts. -- kind regards, David Sommerseth On Wed, Apr 9, 2014 at 8:13 AM, James M. Pulver jmp...@cornell.edu wrote: We were recently informed PCI compliance also extends to the shopping cart software, this may be new this year... -- James Pulver CLASSE Computer Group Cornell University From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Paul Robert Marino Sent: Tuesday, April 08, 2014 11:26 PM To: Nico Kadel-Garcia; ToddAndMargo Cc: Scientific Linux Users Subject: Re: Any 7 rumors? Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not that expensive for the few systems that really require it. Only the system's that handle credit cards supposedly require it and in most ecommerce companies that's probably 2 to 4 system's so what's the problem wit paying $750 a year each for those few systems to not have to deal with the problems and giving the stock investors a warm and fuzzy feeling. Your time spent on it costs them more money and ti reduces all the stress on every one if you buy compliance on the cheap. -- Sent from my HP Pre3 On Apr 8, 2014 22:55, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo toddandma...@zoho.com wrote: Hi All, I have a customer who is going to have to upgrade a whole pail of stuff for PCI compliance (credit card security). Part of what he is going to have upgrade is his old CentOS 5.x server (it is too underpowered to handle his new software along with the addition drag caused by adding File Integrity Monitoring [FIM] Software). Any rumors as to when EL 7 will be out? Many thanks, -T Shortly after our favorite upstream vendor publishes it? I don't see the relevance though. If he needs to update CentOS 5, update it to SL 6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major cluster futz with the the switch tu systemd from init scripts, with /bin being migrated to /usr/bin, and the other major changes. It will be much simpler, and much, much safer, to update to CentOS 6 or SL 6 first!
Re: Any 7 rumors?
I don't know what you mean by 'commercial OS'. Let me rewind a little and make sure I'm completely clear in the point I was trying to make. I blame the horrid hotel room I'm in right now for any confusion. I mostly work in the government space these days. Certifications like Common Criteria, FIPS, FISMA, et al include not only the bits but the build environments/processes/etc. as well. They are time-consuming, expensive and the RHEL certifications for these standards don't apply to SL/CentOS/OEL/foo. You CAN be PCI-compliant with most any Linux distribution if you work hard enough. However, if you find yourself in a PCI violation situation due to the bits (not human error, of course), community-based distributions can provide support through their normal means. Where Red Hat differs with PCI is that they are also legally on the hook in that situation because of the TC's that customers accept at the beginning. It's a two-way street. In those situations, having a vendor that is legally liable to assist and provide remediation is, IMHO, a good thing. Hope that helps. On Wed, Apr 9, 2014 at 1:17 AM, Eero Volotinen eero.voloti...@iki.fiwrote: Is SL not PCI compliant because it is not a commercial effort? I thought SL got all the patches the RHEL got? Please elucidate. There is no PCI requirement(s) to use commercial OS. Please read the requirements instead of FUD! -- Eero -- Thanks, Jamie Duncan @jamieeduncan
Re: Any 7 rumors?
On Wednesday 09 April 2014 06:38:38 Jamie Duncan wrote: I don't know what you mean by 'commercial OS'. Let me rewind a little and make sure I'm completely clear in the point I was trying to make. I blame the horrid hotel room I'm in right now for any confusion. I mostly work in the government space these days. Certifications like Common Criteria, FIPS, FISMA, et al include not only the bits but the build environments/processes/etc. as well. They are time-consuming, expensive and the RHEL certifications for these standards don't apply to SL/CentOS/OEL/foo. Just to follow on that, the standards don't apply to the source in this case, they apply to the binaries, which starts with the source, follows through a verified build environment and on to signed binaries (and how they are signed, and how those keys are handled, as well). Its a major pain, which is why the OpenSSL project's FIPS efforts are all sub-projects, getting FIPS binaries out is a pita worth a project all its own (and is *really* expensive, which is why only certain parts are FIPS certified). To understand a part of why the source isn't the main issue, review the classic Trusting Trust (AKA Mother of all Security Fears) by Ken Thompson -- yes, *that* Ken Thompson. http://cm.bell-labs.com/who/ken/trust.html That said, Thompson's paper will also demonstrates why this isn't enough for complete security, but its the best a large organization can do...
RE: Any 7 rumors?
We were recently informed PCI compliance also extends to the shopping cart software, this may be new this year… -- James Pulver CLASSE Computer Group Cornell University From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Paul Robert Marino Sent: Tuesday, April 08, 2014 11:26 PM To: Nico Kadel-Garcia; ToddAndMargo Cc: Scientific Linux Users Subject: Re: Any 7 rumors? Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not that expensive for the few systems that really require it. Only the system's that handle credit cards supposedly require it and in most ecommerce companies that's probably 2 to 4 system's so what's the problem wit paying $750 a year each for those few systems to not have to deal with the problems and giving the stock investors a warm and fuzzy feeling. Your time spent on it costs them more money and ti reduces all the stress on every one if you buy compliance on the cheap. -- Sent from my HP Pre3 On Apr 8, 2014 22:55, Nico Kadel-Garcia nka...@gmail.commailto:nka...@gmail.com wrote: On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo toddandma...@zoho.commailto:toddandma...@zoho.com wrote: Hi All, I have a customer who is going to have to upgrade a whole pail of stuff for PCI compliance (credit card security). Part of what he is going to have upgrade is his old CentOS 5.x server (it is too underpowered to handle his new software along with the addition drag caused by adding File Integrity Monitoring [FIM] Software). Any rumors as to when EL 7 will be out? Many thanks, -T Shortly after our favorite upstream vendor publishes it? I don't see the relevance though. If he needs to update CentOS 5, update it to SL 6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major cluster futz with the the switch tu systemd from init scripts, with /bin being migrated to /usr/bin, and the other major changes. It will be much simpler, and much, much safer, to update to CentOS 6 or SL 6 first!
Re: Any 7 rumors?
No it was always required because the shopping cart itself may in some cases contain data which could possibly be used to gain access to sensitive customer data. Also in a sense data about who purchases what and where could also be used to mask credit card fraud by making the fraudulent charges look like the normal shopping activities of the card holder. Finally even if their weren't upstream standard referenced in PCI which requier signed verified binaries. lets talk about the legal ramifications of not paying for support on systems containing sensitive data. If you did have a breach because of a compromised binary and in the aftermath you can say The box was running RHEL, and was fully up to date at the time of the breach. We've reported the issue to Red Hat and they are currently investigating the cause and how to fix it. well then you are done because you have done every thing that can be reasonably expected of you as a systems administrator. If you say the box was running distro X and we don not have a support contract with them because they do not offer such an option you will be asked one simple question Who decided to store sensitive information on a box running Distro X? if the answer is you did than you and your company are now legally responsible. if the answer is that other guy he and your company are now legally responsible. Even if Distro X is identical to RHEL in every way and the box was fully updated it doesn't matter because in the eyes of the credit card companies, the layers, and court you made a conscious choice to save money by not buying support which put the customer data at risk, and you know what they are right. there is a lag time in getting patches and if you don't pay for support on critical systems then you have no way of ensuring that any vulnerabilities in the binaries you find or some one else finds on you box get fixed in a timely manner. While I often contribute patches upstream to project to fix bugs I find I'm not an expert in every programing language an every subtle aspect of ever protocol and operation my systems run and no one person is. by paying for support you are really paying for a large group of experts who when added all up are as close as possible to experts on every aspect of the OS who you can call for help when you need them. On Wed, Apr 9, 2014 at 8:13 AM, James M. Pulver jmp...@cornell.edu wrote: We were recently informed PCI compliance also extends to the shopping cart software, this may be new this year... -- James Pulver CLASSE Computer Group Cornell University From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Paul Robert Marino Sent: Tuesday, April 08, 2014 11:26 PM To: Nico Kadel-Garcia; ToddAndMargo Cc: Scientific Linux Users Subject: Re: Any 7 rumors? Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not that expensive for the few systems that really require it. Only the system's that handle credit cards supposedly require it and in most ecommerce companies that's probably 2 to 4 system's so what's the problem wit paying $750 a year each for those few systems to not have to deal with the problems and giving the stock investors a warm and fuzzy feeling. Your time spent on it costs them more money and ti reduces all the stress on every one if you buy compliance on the cheap. -- Sent from my HP Pre3 On Apr 8, 2014 22:55, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo toddandma...@zoho.com wrote: Hi All, I have a customer who is going to have to upgrade a whole pail of stuff for PCI compliance (credit card security). Part of what he is going to have upgrade is his old CentOS 5.x server (it is too underpowered to handle his new software along with the addition drag caused by adding File Integrity Monitoring [FIM] Software). Any rumors as to when EL 7 will be out? Many thanks, -T Shortly after our favorite upstream vendor publishes it? I don't see the relevance though. If he needs to update CentOS 5, update it to SL 6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major cluster futz with the the switch tu systemd from init scripts, with /bin being migrated to /usr/bin, and the other major changes. It will be much simpler, and much, much safer, to update to CentOS 6 or SL 6 first!
Re: Any 7 rumors?
On 04/08/2014 10:17 PM, Eero Volotinen wrote: Is SL not PCI compliant because it is not a commercial effort? I thought SL got all the patches the RHEL got? Please elucidate. There is no PCI requirement(s) to use commercial OS. Please read the requirements instead of FUD! Hi Eero, Do you have a link to that particular requirement? Many thanks, -T
Re: Any 7 rumors?
On 09/04/14 16:27, Paul Robert Marino wrote: No it was always required because the shopping cart itself may in some cases contain data which could possibly be used to gain access to sensitive customer data. Also in a sense data about who purchases what and where could also be used to mask credit card fraud by making the fraudulent charges look like the normal shopping activities of the card holder. Really!? I've been involved in a few PCI-DSS certification rounds for a company which provided online payment services back in the days. Granted that's some years ago now (2005 to 2008-ish). Even though our scope was limited to only processing credit card information, we did not see any requirements anywhere at that time for the shopping cart to be PCI-DSS certified. In fact one of our sales arguments at that time was that our customers could avoid certifications by implementing our online payment terminal. We even had some discussions with our auditor about this, who gave his blessings to our product. The solution we provided in this case would take care of retrieving the credit card information from the customer, process the payment and just provide a status back to the merchant. Merchants using a payment API for processing payments would in some cases need certification, based on the amount of transactions they had; this I believe has become much stricter since those days. And just to have mentioned it, the solutions we provided was based upon Gentoo(!) servers. We even got very positive feedback for having absolutely minimum installs on our production servers, plus kudos for our maintenance routines. Of course, many of the requirements have most likely changed since then. But I don't recognise the always required in regards to shopping carts. -- kind regards, David Sommerseth On Wed, Apr 9, 2014 at 8:13 AM, James M. Pulver jmp...@cornell.edu wrote: We were recently informed PCI compliance also extends to the shopping cart software, this may be new this year... -- James Pulver CLASSE Computer Group Cornell University From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Paul Robert Marino Sent: Tuesday, April 08, 2014 11:26 PM To: Nico Kadel-Garcia; ToddAndMargo Cc: Scientific Linux Users Subject: Re: Any 7 rumors? Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not that expensive for the few systems that really require it. Only the system's that handle credit cards supposedly require it and in most ecommerce companies that's probably 2 to 4 system's so what's the problem wit paying $750 a year each for those few systems to not have to deal with the problems and giving the stock investors a warm and fuzzy feeling. Your time spent on it costs them more money and ti reduces all the stress on every one if you buy compliance on the cheap. -- Sent from my HP Pre3 On Apr 8, 2014 22:55, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo toddandma...@zoho.com wrote: Hi All, I have a customer who is going to have to upgrade a whole pail of stuff for PCI compliance (credit card security). Part of what he is going to have upgrade is his old CentOS 5.x server (it is too underpowered to handle his new software along with the addition drag caused by adding File Integrity Monitoring [FIM] Software). Any rumors as to when EL 7 will be out? Many thanks, -T Shortly after our favorite upstream vendor publishes it? I don't see the relevance though. If he needs to update CentOS 5, update it to SL 6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major cluster futz with the the switch tu systemd from init scripts, with /bin being migrated to /usr/bin, and the other major changes. It will be much simpler, and much, much safer, to update to CentOS 6 or SL 6 first!
Re: Any 7 rumors?
On 9 April 2014 11:17, David Sommerseth sl+us...@lists.topphemmelig.netwrote: On 09/04/14 16:27, Paul Robert Marino wrote: No it was always required because the shopping cart itself may in some cases contain data which could possibly be used to gain access to sensitive customer data. Also in a sense data about who purchases what and where could also be used to mask credit card fraud by making the fraudulent charges look like the normal shopping activities of the card holder. Really!? I've been involved in a few PCI-DSS certification rounds for a company which provided online payment services back in the days. Granted that's some years ago now (2005 to 2008-ish). Even though our scope was limited to only processing credit card information, we did not see any requirements anywhere at that time for the shopping cart to be PCI-DSS certified. Any time you read always in certifications, it means that the original organization thought they had made it clear originally but instead it was intepreted completely differently by various auditors. Since PCI-DSS certification comes down a lot to what an auditor will go with.. any phrases with wiggle room or non-absolutely clear language (did we use MAY when we should have used WILL is the easiest one) then you end up with years of 'clean-up' where various things you got told were ok is not ok with either a different auditor or the next set of clarifications because someone stuck an OR in when they meant XOR or AND. So the authors go back and clear it up and say it meant to always be that way and people in the field go WHA? -- Stephen J Smoogen.
Re: Any 7 rumors?
lots of rumors. ;) On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo toddandma...@zoho.com wrote: Hi All, I have a customer who is going to have to upgrade a whole pail of stuff for PCI compliance (credit card security). Part of what he is going to have upgrade is his old CentOS 5.x server (it is too underpowered to handle his new software along with the addition drag caused by adding File Integrity Monitoring [FIM] Software). Any rumors as to when EL 7 will be out? Many thanks, -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~ -- Thanks, Jamie Duncan @jamieeduncan
Re: Any 7 rumors?
On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo toddandma...@zoho.com wrote: Hi All, I have a customer who is going to have to upgrade a whole pail of stuff for PCI compliance (credit card security). Part of what he is going to have upgrade is his old CentOS 5.x server (it is too underpowered to handle his new software along with the addition drag caused by adding File Integrity Monitoring [FIM] Software). Any rumors as to when EL 7 will be out? Many thanks, -T Shortly after our favorite upstream vendor publishes it? I don't see the relevance though. If he needs to update CentOS 5, update it to SL 6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major cluster futz with the the switch tu systemd from init scripts, with /bin being migrated to /usr/bin, and the other major changes. It will be much simpler, and much, much safer, to update to CentOS 6 or SL 6 first!
Re: Any 7 rumors?
Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not that expensive for the few systems that really require it. Only the system's that handle credit cards supposedly require it and in most ecommerce companies that's probably 2 to 4 system's so what's the problem wit paying $750 a year each for those few systems to not have to deal with the problems and giving the stock investors a warm and fuzzy feeling. Your time spent on it costs them more money and ti reduces all the stress on every one if you buy compliance on the cheap.-- Sent from my HP Pre3On Apr 8, 2014 22:55, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo toddandma...@zoho.com wrote: Hi All, I have a customer who is going to have to upgrade a whole pail of stuff for PCI compliance (credit card security). Part of what he is going to have upgrade is his old CentOS 5.x server (it is too underpowered to handle his new software along with the addition drag caused by adding File Integrity Monitoring [FIM] Software). Any rumors as to when EL 7 will be out? Many thanks, -T Shortly after our favorite upstream vendor publishes it? I don't see the relevance though. If he needs to update CentOS 5, update it to SL 6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major cluster futz with the the switch tu systemd from init scripts, with "/bin" being migrated to "/usr/bin", and the other major changes. It will be much simpler, and much, much safer, to update to CentOS 6 or SL 6 first!
Re: Any 7 rumors?
On 04/08/2014 08:25 PM, Paul Robert Marino wrote: Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not that expensive for the few systems that really require it. Only the system's that handle credit cards supposedly require it and in most ecommerce companies that's probably 2 to 4 system's so what's the problem wit paying $750 a year each for those few systems to not have to deal with the problems and giving the stock investors a warm and fuzzy feeling. Your time spent on it costs them more money and ti reduces all the stress on every one if you buy compliance on the cheap. Hi Paul, Is SL not PCI compliant because it is not a commercial effort? I thought SL got all the patches the RHEL got? Please elucidate. Oh, and it is a sole proprietor and CHEAP doesn't begin to describe him. (Nice guy though.) Many thanks, -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
PCI compliance is a lot more than just the code. Red Hat goes through multiple processes with these governing bodies to certify RHEL. That doesn't pass down to downstream distributions. On Apr 8, 2014 11:32 PM, ToddAndMargo toddandma...@zoho.com wrote: On 04/08/2014 08:25 PM, Paul Robert Marino wrote: Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not that expensive for the few systems that really require it. Only the system's that handle credit cards supposedly require it and in most ecommerce companies that's probably 2 to 4 system's so what's the problem wit paying $750 a year each for those few systems to not have to deal with the problems and giving the stock investors a warm and fuzzy feeling. Your time spent on it costs them more money and ti reduces all the stress on every one if you buy compliance on the cheap. Hi Paul, Is SL not PCI compliant because it is not a commercial effort? I thought SL got all the patches the RHEL got? Please elucidate. Oh, and it is a sole proprietor and CHEAP doesn't begin to describe him. (Nice guy though.) Many thanks, -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Any 7 rumors?
On Apr 8, 2014 11:32 PM, ToddAndMargo toddandma...@zoho.com mailto:toddandma...@zoho.com wrote: On 04/08/2014 08:25 PM, Paul Robert Marino wrote: Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not that expensive for the few systems that really require it. Only the system's that handle credit cards supposedly require it and in most ecommerce companies that's probably 2 to 4 system's so what's the problem wit paying $750 a year each for those few systems to not have to deal with the problems and giving the stock investors a warm and fuzzy feeling. Your time spent on it costs them more money and ti reduces all the stress on every one if you buy compliance on the cheap. Hi Paul, Is SL not PCI compliant because it is not a commercial effort? I thought SL got all the patches the RHEL got? Please elucidate. Oh, and it is a sole proprietor and CHEAP doesn't begin to describe him. (Nice guy though.) Many thanks, -T On 04/08/2014 09:24 PM, Jamie Duncan wrote: PCI compliance is a lot more than just the code. Red Hat goes through multiple processes with these governing bodies to certify RHEL. That doesn't pass down to downstream distributions. Hi Jamie, Yikes. That I did not realize. Thank you for the heads up! -T
Re: Any 7 rumors?
Is SL not PCI compliant because it is not a commercial effort? I thought SL got all the patches the RHEL got? Please elucidate. There is no PCI requirement(s) to use commercial OS. Please read the requirements instead of FUD! -- Eero
