[opensuse-factory] openSUSE Leap and security relevant packages
I heard about the development model for the next openSUSE release Leap 42.1. What are the proposed guidelines for security relevant packages? (I mean base security libraries like OpenSSL and security sensitive application packages like Apache or Sendmail.) Personally I prefer up-to-dateness over maturity for such packages. I would like to explain my rating with an example: Ever since the Poodle attack it's clear, that SSL 3 should be disabled. On http://disablessl3.com/ I found instructions to disable SSL 3 on Sendmail. Unfortunately the Sendmail packages of distributions like Ubuntu 14.04 are not recent enough and the proposed SSL settings are missing. So administrators have two bad alternatives: staying with mature, but more or less insecure software or switching to fresh secure, unsupported and sometimes unstable packages. The example is about Ubuntu 14.04. But will openSuSE go in the same direction? Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/05/2015 02:27 AM, Bjoern Voigt wrote:
I heard about the development model for the next openSUSE release Leap 42.1.
What are the proposed guidelines for security relevant packages? (I mean base security libraries like OpenSSL and security sensitive application packages like Apache or Sendmail.)
Presumably, SLE-based packages will follow SLE security guidelines, which are rigorously tested and patched by SUSE's internal Security, Maintenance & QA teams. Presumably, Factory-based packages will follow openSUSE's security guidelines, and will be patched/updated based on open issues for the life of the release, as they always have been.
Personally I prefer up-to-dateness over maturity for such packages.
That sounds like you would prefer Tumbleweed to Leap.
I would like to explain my rating with an example:
Ever since the Poodle attack it's clear, that SSL 3 should be disabled. On http://disablessl3.com/ I found instructions to disable SSL 3 on Sendmail. Unfortunately the Sendmail packages of distributions like Ubuntu 14.04 are not recent enough and the proposed SSL settings are missing. So administrators have two bad alternatives: staying with mature, but more or less insecure software or switching to fresh secure, unsupported and sometimes unstable packages.
The example is about Ubuntu 14.04. But will openSuSE go in the same direction?
Greetings, Björn
- -- James Mason Technical Architect, Public Cloud openSUSE Member SUSE jmason@suse.com - ------------------------------------------------------------------------ SUSECon 2015: Register at susecon.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVwjACAAoJEBs5UYhsRJAj9WAH/R9aoWWNiNIN2CAjW1dfVlev SLOmuk6J/OuR0fASIFFhYuGvJR2W6VKvu0cMiXFmXkshae5knGZPz8+jzbNqr8i3 FbS5/Zwq9UVjrUnll0+f7K7fbsQ3tEOXzaSGDfjNvrxpJmqgVfCSapnRkuTibBI9 IBE1YmdVyrnGbs3MyipYxtAvyU9VWM6iUmkEQPIFKq9vVMdPbzzS6rIvSzlSStEt /e+QmfwytiDP1p9u77w8OzjDBJ0W2pjn2QNP1xrxZG35AKS8v4BHyz6GjeVRxVRZ qTeUDzWnJfBCMHe/A2UjYzOsOe9r3Bom9UQxkHDCQpZfMGC0J5ugneuSD4KUPLw= =8xk8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Mason wrote:
That sounds like you would prefer Tumbleweed to Leap. Until now I haven't tested Tumbleweed.
Tumbleweed is probably not recommended for production systems and servers. (See another mail from today: http://lists.opensuse.org/opensuse-factory/2015-08/msg00060.html) So I see a dilemma. I wrote.
So administrators have two bad alternatives: staying with mature, but more or less insecure software or switching to fresh secure, unsupported and sometimes unstable packages. If I must choose between Tumbleweed and Leap for production systems, I would choose the old openSUSE <=13.2 development model. (Which unfortunately means leaving openSUSE of production systems and going to something like Fedora.)
Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/05/2015 01:24 PM, Bjoern Voigt wrote:
James Mason wrote:
That sounds like you would prefer Tumbleweed to Leap. Until now I haven't tested Tumbleweed.
Tumbleweed is probably not recommended for production systems and servers. (See another mail from today: http://lists.opensuse.org/opensuse-factory/2015-08/msg00060.html)
So I see a dilemma. I wrote.
So administrators have two bad alternatives: staying with mature, but more or less insecure software or switching to fresh secure, unsupported and sometimes unstable packages. If I must choose between Tumbleweed and Leap for production systems, I would choose the old openSUSE <=13.2 development model. (Which unfortunately means leaving openSUSE of production systems and going to something like Fedora.)
You do realize that Fedora is referred to, even internally, as 'bleeding edge' right? - -- James Mason Technical Architect, Public Cloud openSUSE Member SUSE jmason@suse.com - ------------------------------------------------------------------------ SUSECon 2015: Register at susecon.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVwnM9AAoJEBs5UYhsRJAjUMgH/0i3driglno8np7zM/1Hk+fd dKoXqIFdiGgFc/TswBw0u03jjF92rRN0ZCkSq7L5RzDPsBwZ+3C1xw8hDWd175xU wARoq/52PINeQKY+kbqdLVzkwK9N0Isb7new8na1b1mYIFvmL/KEHZtLjrqVK8Gh 4mlVqReRZ0UTFNijxzt045rr4X7EvOhOEEnuiQt7nDpTA+Ifx5AWXUxvGHbJzN8Q neu1eohpogJRYDf02hKZLKfOdh0Lgryc4bwmXcGDjEE514VlVRZiY9DzUvyRCu/l WMpS2Nf9bRCQdDZozEkf9OE+iPY+jDvV8un+foXIjCXqKg2BPaSEjxkg7bJtd1M= =ltrq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Mason wrote:
You do realize that Fedora is referred to, even internally, as 'bleeding edge' right? If I look at the package versions e.g. on http://distrowatch.com I would say, that Fedora 22 (latest released Fedora distribution) can be somehow compared with openSUSE 13.2 and Fedora Rawhide can be compared with openSUSE Tumbleweed.
My personal opinion: Having 'bleeding edge' packages is a good strategy in relation to security. I prefer bleeding edge packages over back-ported security patches. If course security is not the only objective for a Linux distribution. Functionality, stability, the amount of packages etc. are important too. I liked the old development model of openSUSE. Some years ago we had 4 openSUSE releases each year. openSUSE Tumbleweed and Leap are both big steps in opposite directions. Currently I am not happy with both for production systems. On my personal desktops I will probably go to Tumbleweed. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Mittwoch, 5. August 2015, 23:17:46 schrieb Bjoern Voigt:
My personal opinion: Having 'bleeding edge' packages is a good strategy in relation to security. I prefer bleeding edge packages over back-ported security patches.
This is basically security by (version) numbers. In the end it does not really matter if its backported or new Versions. The only thing missing in backported versions are new features (and even those can in exceptions be backported)
If course security is not the only objective for a Linux distribution. Functionality, stability, the amount of packages etc. are important too. I liked the old development model of openSUSE.
So did I. But if I can't be maintained what is the point?
Some years ago we had 4 openSUSE releases each year.
I'm following openSUSE since 2006 and we never had 4 Releases in a year
openSUSE Tumbleweed and Leap are both big steps in opposite directions. Currently I am not happy with both for production systems.
Tumbleweed on Productionsystems I can understand but Leap - we are not even in the first Beta Version and you already judge it as insufficient?
On my personal desktops I will probably go to Tumbleweed.
So do I -- Stefan Kunze SUSE Dispatch Engineer ________________________________________________________________ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409 Nürnberg
Stefan Kunze wrote:
Am Mittwoch, 5. August 2015, 23:17:46 schrieb Bjoern Voigt:
My personal opinion: Having 'bleeding edge' packages is a good
strategy in relation to security. I prefer bleeding edge packages
over back-ported security patches.
This is basically security by (version) numbers. In the end it does not really matter if its backported or new Versions. The only thing missing in backported versions are new features (and even those can in exceptions be backported)
It depends. The reasons why I prefer bleeding edge software over old software with backported security patches are: - Sometimes the security patch has dependencies to other code changes. A good distribution maintainer with enough time sees the dependencies and handles them right. But who has enough time? - Usually more upstream developers tested a new release compared with an old release with backported patches. - Automated security testing software often does not detect the backported patches. The testing software often only evaluates the version numbers. This produces false positives. - An upstream developer sometimes does not see, that he fixed a security hole during development of new releases. Package maintainers have no good changes to detect such problems, if the upstream developer or other people do not detect them. - Not every security improvement fixes a real security bug. In my example (Sendmail with or without SSL 3) the Ubuntu maintainers did not provide any solution for disabling SSL 3 on Sendmail. openSUSE provides a solution (Sendmail 8.14.9 has options to disable SSL 3), but does not automatically deactivate SSL 3 on openSUSE <= 13.2. So I think, that distribution maintainers estimate Sendmail with SSL 3 as a low severity problem, - Security improvements on base libraries like OpenSSL often can not be backported, because too much packages have dependencies to them and testing and fixing all the dependent software is too much work. Things become difficult, if the security library patches change the ABI.
If course security is not the only objective for a Linux
distribution. Functionality, stability, the amount of packages etc.
are important too. I liked the old development model of openSUSE.
So did I. But if I can't be maintained what is the point?
Some years ago we had 4 openSUSE releases each year.
I'm following openSUSE since 2006 and we never had 4 Releases in a year
I use SuSE/openSUSE since around 1996/1997. I think, we had 4 release a year around 2000 but I am not sure.
openSUSE Tumbleweed and Leap are both big steps in opposite directions.
Currently I am not happy with both for production systems.
Tumbleweed on Productionsystems I can understand but Leap - we are not even in the first Beta Version and you already judge it as insufficient?
Of course I currently could not judge the quality of Leap. But I heard that the decision to go for Leap is made. The community can not change the decision, but we probably can influence the details. (For instance I heard, that the community has prevailed, that openSUSE Leap will use Kernel 4.1 instead of an old 3.x Kernel lile SLES 12. Of course Kernel 4.1 will be old too at the Leap 42.1 release date.) Personally I would recommend to think about using bleeding edge security software (libraries and applications). Currently I simulate this with additional repositories like [server:mail] or [server:database]. I hope that we can use such (good maintained and relatively stable) repositories on Leap too.
On my
personal desktops I will probably go to Tumbleweed.
So do I
Good. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 2015-08-06 at 09:45 +0200, Bjoern Voigt wrote:
I'm following openSUSE since 2006 and we never had 4 Releases in a year
I use SuSE/openSUSE since around 1996/1997. I think, we had 4 release a year around 2000 but I am not sure.
The maximum was three, if one can trust https://en.wikipedia.org/wiki/S USE_Linux_distributions#Suse_distributions But keep in mind the SuSE Linux at the time was developed entirely different compared to openSUSE now - most notably: it was done behind closed doors without you having any word in it. Cheers, -- Dimstar / Dominique Leuenberger <dimstar@opensuse.org>
Dimstar / Dominique Leuenberger wrote:
On Thu, 2015-08-06 at 09:45 +0200, Bjoern Voigt wrote:
I'm following openSUSE since 2006 and we never had 4 Releases in a year
I use SuSE/openSUSE since around 1996/1997. I think, we had 4 release a year around 2000 but I am not sure.
The maximum was three, if one can trust https://en.wikipedia.org/wiki/SUSE_Linux_distributions#Suse_distributions
You are right. But SLES comes every 2-5 years, e.g. SLES 11 2009 and SLES 12 2014. You understand that's a big change for users who come from 3 releases a year to Leap with a SLES base and the base changes every 2-5 years.
But keep in mind the SuSE Linux at the time was developed entirely different compared to openSUSE now - most notably: it was done behind closed doors without you having any word in it.
I know. In these times we wrote e-mails to the package maintainers, if we found a problem. Bugzilla, build service, additional repositories etc. came later. But we also had to pay for the SuSE boxes and only some users had a fast Internet connection and were capable to download SuSE. Today, probably the SLES users contribute most to sales. That's why, there interests are more important!? Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 2015-08-06 at 10:26 +0200, Bjoern Voigt wrote:
You are right. But SLES comes every 2-5 years, e.g. SLES 11 2009 and SLES 12 2014. You understand that's a big change for users who come from 3 releases a year to Leap with a SLES base and the base changes every 2-5 years.
You have to compare what openSUSE did, not what SuSE Linux did. openSUSE has been trying to keep up an 8 month cycle, more or less successful, and then basically formally agreed that a 12 month cycle is more realistically. SLE 11 to SLE12 took a long time, but SLE12 to SLE12SP1 is much shorter (~ one year), same is expected for SLE12SP2. And the SLE12 Service Packs are not just meant to be collection of patches, but are actually allowed to bring new versions as well... and every new Leap version will be based on the latest service pack. So the 5 year scenario you prsent there is painting a wrong picture. And besides that, Leap is not FORCED to use SLE packages: there is a lot of stuff already coming from Tumbleweed into Leap 42.1, there is no reason to believe that Leap 42.2 (that will be based on SLE12SP2) will not do the same for stuff that is considered 'out of date, but interesting/important enough to be updated'. you see, the 5 year cycle you mention bears no importance at all
But keep in mind the SuSE Linux at the time was developed entirely different compared to openSUSE now - most notably: it was done behind closed doors without you having any word in it.
I know. In these times we wrote e-mails to the package maintainers, if we found a problem. Bugzilla, build service, additional repositories etc. came later.
But we also had to pay for the SuSE boxes and only some users had a fast Internet connection and were capable to download SuSE. Today, probably the SLES users contribute most to sales. That's why, there interests are more important!?
the SLE customers pay for a service and the fact that they are not supposed to WORK on creating the distribution. openSUSE (the distribution) is a community product: if the community is not working on it, there won't be a product. Don't think that one single sponsor (SUSE in this case) is going to maintain all of it. -- Dimstar / Dominique Leuenberger <dimstar@opensuse.org>
Stefan Kunze writes:
Some years ago we had 4 openSUSE releases each year.
I'm following openSUSE since 2006 and we never had 4 Releases in a year
I'm fussy on the actual release dates, but I'm pretty sure that SuSE (the old spelling, but already without the dots and not "open" though) went from 6.1 to 6.4 in slightly less than a year. I may not have been within the same calendar year, though. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf rackAttack: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Aug 06, 2015 at 06:20:48PM +0200, Achim Gratz wrote:
Stefan Kunze writes:
Some years ago we had 4 openSUSE releases each year.
I'm following openSUSE since 2006 and we never had 4 Releases in a year
I'm fussy on the actual release dates, but I'm pretty sure that SuSE (the old spelling, but already without the dots and not "open" though) went from 6.1 to 6.4 in slightly less than a year. I may not have been within the same calendar year, though.
The german wikipedians have the long list of release dates. https://de.wikipedia.org/wiki/OpenSUSE#Versionen Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On August 5, 2015 5:17:46 PM EDT, Bjoern Voigt <bjoernv@arcor.de> wrote:
James Mason wrote:
You do realize that Fedora is referred to, even internally, as 'bleeding edge' right? If I look at the package versions e.g. on http://distrowatch.com I would say, that Fedora 22 (latest released Fedora distribution) can be somehow compared with openSUSE 13.2 and Fedora Rawhide can be compared with openSUSE Tumbleweed.
My personal opinion: Having 'bleeding edge' packages is a good strategy in relation to security. I prefer bleeding edge packages over back-ported security patches.
If course security is not the only objective for a Linux distribution. Functionality, stability, the amount of packages etc. are important too. I liked the old development model of openSUSE. Some years ago we had 4 openSUSE releases each year. openSUSE Tumbleweed and Leap are both big steps in opposite directions. Currently I am not happy with both for production systems. On my personal desktops I will probably go to Tumbleweed.
Greetings, Björn
By package count, Leap is expected to be 20% or less from SLES. The other 80% will follow the old 13.2 model from what I can see. The decision to abandon openSUSE Leap should be made a year or more from now. Greg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Aug 5, 2015 at 6:27 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
I heard about the development model for the next openSUSE release Leap 42.1.
What are the proposed guidelines for security relevant packages? (I mean base security libraries like OpenSSL and security sensitive application packages like Apache or Sendmail.)
Personally I prefer up-to-dateness over maturity for such packages. I would like to explain my rating with an example:
Ever since the Poodle attack it's clear, that SSL 3 should be disabled. On http://disablessl3.com/ I found instructions to disable SSL 3 on Sendmail. Unfortunately the Sendmail packages of distributions like Ubuntu 14.04 are not recent enough and the proposed SSL settings are missing. So administrators have two bad alternatives: staying with mature, but more or less insecure software or switching to fresh secure, unsupported and sometimes unstable packages.
The example is about Ubuntu 14.04. But will openSuSE go in the same direction?
Looks like you need tumbleweed.. you do not even need to do anything in your example case, because tumbleweed 's openSSL does not have SSLv3 support. (disabled since late Jun) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (8)
-
Achim Gratz -
Bjoern Voigt -
Cristian Rodríguez -
Dimstar / Dominique Leuenberger -
greg.freemyer@gmail.com -
James Mason -
Marcus Meissner -
Stefan Kunze