[opensuse-security] Re: [security-announce] openSUSE 11.2 has reached end of SUSE support - 11.2 Evergreen goes on!
Hi Marcus, is this the new strategy of Attachmate to compete against Ubuntu, Debian and Fedora/CentOS who have moved way beyond openSUSE in numbers of users? While other distributions obviously found out that many users, not only in the business sector, want distributions to be supported 3 to 5 years at least (don't touch a running system) openSUSE cuts it down to 18 months now suddenly. What's next? 12 months? Looks like the management-strategy of Attachmate is succeeding - cutting down the number of employees will reduce the maintenance power and time-frame, then the users, then the number of employees and so on... And when openSUSE is dead the costs will be down to zero - then it will be a maximal success! I've used SuSE / openSUSE for the last 15 years but now I'm gone! And no, evergreen is not an alternative (yet?). Although I appreciate the work the evergreen-team puts into it, in my opinion the patches are released way too slow there (any kernel-updates for 11.1 for the last security problems?). Greetings and a sad good-bye to openSUSE, Ralf On 05/12/2011 07:01 PM, Marcus Meissner wrote:
Hi,
With the release of a kdelibs4 security fix on Thursday 12th of May SUSE has released the last update for openSUSE 11.2.
openSUSE 11.2 is now officially discontinued and out of support by SUSE.
However the openSUSE Evergreen community effort is going to continue the openSUSE 11.2 maintenance similar to 11.1.
The overview page of this project, how to activate and use it, and other details, is on: http://en.opensuse.org/openSUSE:Evergreen The Evergreen project is lead by openSUSE community member Wolfgang Rosenauer.
Here are some security statistics:
openSUSE 11.2 was released on November 12th 2009, making it 18 months of security and bugfix support.
Some statistics on the released patches (compared to 11.1, which had 7 months more):
(As comparison would otherwise be difficult due to the different lifetimes, I did adjust the 11.1 numbers by *18/25)
Total updates: 489 (-19) Security: 317 (-19) Recommended: 172 (+ 3) Optional: 0 (- 3)
CVE Entries: 1134 (+288) (-35 unadjusted)
There is a 3% decrease in the number of security updates compared to openSUSE 11.1. There is however a 24% increase in CVE numbers fixed.
The increase is largely due to approximately 180 webkit CVEs we solved by two version upgrades.
Top issues (compared to 11.1 for issues down to 5), (not lifetime adjusted): 13 MozillaFirefox (-6) 11 seamonkey (+3) 10 flash-player (+1) 9 krb5 (+4) 8 MozillaThunderbird (0) 8 java-1_6_0-openjdk (-2) 8 acroread (-3) 7 opera (-2) 6 mozilla-xulrunner191 5 tomcat6 5 libopenssl-devel (-4) 5 kernel (-9) 5 java-1_6_0-sun (+2) 5 clamav (-2) 5 apache2-mod_php5 (-2)
And top issues sorted by CVE (Common Vulnerability Enumeration) count (down to 5) (compared to 11.1 for the top, not adjusted to lifetime): 180 libwebkit (NEW) 120 seamonkey (+37) 119 MozillaFirefox (-44) (would be around 0 equalized) 113 acroread (-2) 95 MozillaThunderbird (-25) 94 java-1_6_0-sun (-20) 106 kernel (+23) 84 mozilla-xulrunner191 (-43) 83 flash-player (+1) 63 java-1_6_0-openjdk (-20) 45 php5 (+7) 27 opera (0) 26 wireshark (-7) 23 mysql (+8) 18 freetype2 (+1) 15 krb5 (+3) 19 OpenOffice_org (+12) 12 pidgin/finch (-2) 11 tomcat6 (+1) 10 clamav (0) 9 perl 9 poppler (-4) 9 postgresql (-2) 8 cups 8 python 6 sudo 6 gimp 6 glibc 6 openssl (-8) 6 libvirt 6 bind 5 viewvc 5 ghostscript (-6) 5 texlive 5 fuse 5 libtiff 5 exim 5 dovecot12 5 build 5 evince 5 python-feedparser 5 libpcsclite1 5 samba (-7)
# security updates by count # grep -l type..secur updateinfo-*|sed -e 's/^updateinfo-//;s/-[0-9]*.xml$//;'|sort|uniq -c|sort -n +0 -r|less # grep CVE- update* |perl -e '%cves=();while (<>) { while (/(CVE-2...-....)/) { $cve{$1}++; s/CVE-2...-....//;} } print join("\n",sort keys %cve)."\n";' | wc -l # for i in updateinfo-* ; do echo -n "$i " ; grep CVE- $i|perl -e '%cves=();while (<>) { while (/(CVE-2...-....)/) { $cve{$1}++; s/CVE-2...-....//;} } print join("\n",sort keys %cve)."\n";' | wc -l ; done |perl -e 'while (<>) { /^updateinfo-(\S*)-\d*.xml (\d*)$/; $cnt{$1}+=$2; } ; foreach (sort { $cnt{$b} <=> $cnt{$a} } keys %cnt) { print "$cnt{$_}\t\t$_\n";} '
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Am 12.05.2011 21:24, schrieb Ralf Ronneburger:
And no, evergreen is not an alternative (yet?). Although I appreciate the work the evergreen-team puts into it, in my opinion the patches are released way too slow there (any kernel-updates for 11.1 for the last security problems?).
Somehow I like to comment on that from the Evergreen perspective. Usually we can only prepare updates once we know they are needed. In general we know at the moment they are released for the other openSUSE distributions. That's a process issue I cannot really change. The kernel is a problem indeed. It's an explanation but doesn't make it better in the end though. But then again the updates are usually released pretty fast. What delay would be acceptable to you? There are examples where Evergreen released updates for 11.1 faster than they were for 11.2 and above. But that's also the exception. I also miss a long term supported openSUSE release (that's why I started Evergreen) so we basically agree but this has nothing to do with Attachmate since the support lifetime was announced to be 18 months ages ago. Wolfgang -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Wolfgang, On 05/12/2011 09:37 PM, Wolfgang Rosenauer wrote:
The kernel is a problem indeed. It's an explanation but doesn't make it better in the end though. But then again the updates are usually released pretty fast. What delay would be acceptable to you?
as a first step it would be good to have an overview on the evergreen-page about what security problems need fixing like: CVE-XYZ from 05.05.2011 - in progress CVE-XXY from 06.05.2011 - open CVE-XYY from 10.05.2011 - fixed That would also make it easier for others to help. About the acceptable delay - it depends on the type and severity of the problem and on the package affected - I can't give you a general number. In the end it will be compared to the other vendors, so it should not be much slower than them. As you said - the kernel is a problem and that's what makes me uneasy with evergreen for 11.1 currently. But again - I really appreciate your work and I've also noticed that some patches where out very fast! Greetings, Ralf -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Am 12.05.2011 21:51, schrieb Ralf Ronneburger:
as a first step it would be good to have an overview on the evergreen-page about what security problems need fixing like:
CVE-XYZ from 05.05.2011 - in progress CVE-XXY from 06.05.2011 - open CVE-XYY from 10.05.2011 - fixed
That would also make it easier for others to help.
hmm, ok, so the "open" status is missing in the current page: http://en.opensuse.org/openSUSE:Evergreen_11.1 If I'd expect that someone grabs open ones to work on them it would make sense to add them but honestly there are almost no "others".
About the acceptable delay - it depends on the type and severity of the problem and on the package affected - I can't give you a general number. In the end it will be compared to the other vendors, so it should not be much slower than them.
Evergreen was not really started to compete with the others but because it's better to have updates at all than running the systems w/o any updates. I know that is not enough but it's all we can provide at the moment. Wolfgang -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Wolfgang, On 05/12/2011 10:42 PM, Wolfgang Rosenauer wrote:
hmm, ok, so the "open" status is missing in the current page: http://en.opensuse.org/openSUSE:Evergreen_11.1 If I'd expect that someone grabs open ones to work on them it would make sense to add them but honestly there are almost no "others".
still I think it would have three positive effects: * to inform about known problems * with that information people can decide what to do - to fix it themselfs and hopefully contribute to evergreen or to find outher countermeasures * to motivate people to inform evergreen about other problems that might not yet be on the screen I think this would be worth it.
Evergreen was not really started to compete with the others but because it's better to have updates at all than running the systems w/o any updates. I know that is not enough but it's all we can provide at the moment.
Yes, sure, that's what I like about it and what you provide is sure better than nothing. Greetings, Ralf -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2011-05-12 21:24, Ralf Ronneburger wrote:
is this the new strategy of Attachmate to compete against Ubuntu, Debian and Fedora/CentOS who have moved way beyond openSUSE in numbers of users?
Although I strongly dislike the 18 month policy, it is not new, and has nothing to do with Attachmate. It was announced by Novell about two years ago. However, it is true that 11.2 is the first version affected. http://en.opensuse.org/Lifetime - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk3MOP4ACgkQtTMYHG2NR9WsTACglNtdith48vvN94qFoeSaNFOi mzcAn2m+RMbHpt6BeawKZNxt6xcPeRHL =W4WT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 05/12/2011 09:46 PM, Carlos E. R. wrote:
Although I strongly dislike the 18 month policy, it is not new, and has nothing to do with Attachmate. It was announced by Novell about two years ago. However, it is true that 11.2 is the first version affected.
O.K., thanks for pointing that out, I must have missed that information. Then Attachmate is not to blaim for this. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, May 12, 2011 at 09:56:43PM +0200, Ralf Ronneburger wrote:
On 05/12/2011 09:46 PM, Carlos E. R. wrote:
Although I strongly dislike the 18 month policy, it is not new, and has nothing to do with Attachmate. It was announced by Novell about two years ago. However, it is true that 11.2 is the first version affected.
O.K., thanks for pointing that out, I must have missed that information. Then Attachmate is not to blaim for this.
I am also afraid you need to voice your concerns on other lists, no one who can decide this is on this list. -project perhaps. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Carlos E. R. -
Marcus Meissner -
Ralf Ronneburger -
Wolfgang Rosenauer