SELinux last straw

Les Mikesell lesmikesell at gmail.com
Thu Oct 18 20:11:53 UTC 2007 

Arthur Pemberton wrote:

> Well it would be nice if you diccuss one topic at a time, fedora
> updates is one matter, and SELinux history is another.

You can't separate them unless you can describe the process someone 
would use to get one without the other.  It's a package deal.

> Your argument seems to be to remove, my argument is disable/don't
> enable if you don't like it. And if that's not your argument, you're
> arguing alongside those are calling for it's removal. The better thing
> would be to use your skills to find any and all left over bugs as the
> technology expands.

Disabling works for me, but in my opinion it would have been better to 
have it as a separate installable package not included by default.

>>    I have personally had multiple instances of devices that were not
>> supported in new versions, devices that changed names, breaking the
>> configurations, updates that installed kernels that would not boot
>> previously working systems, and the list is full of similar problems in
>> addition to the ones mentioning SELinux.
> 
> That's two different issues. The former is regression issues - most of
> which aren't probably even directly the fault of Fedora. 

Fedora may not have written the code that broke things, but they didn't 
have to ship it.

>> But assume your payroll system is running on
>> something that fails to boot or can't access it's data after you do an
>> update that is required for some security issue.  Now what?
> 
> Now you get fired for using a fast pace, mostly bleeding edge distro
> in your fiscally important production environment.

Is that made clear in all places where fedora is distributed?

>> Perhaps, but if you want to deliver a product that does not have a
>> usable way to fix subsequently discovered security flaws after a sort
>> time then it should have an actual expiration date and self-destruct
>> instead of being left as easy prey for exploits that turn them into
>> zombie spam relays or worse.
> 
> You know that's not really possible. People still run Windows 95,
> Fedora is the last place to look for expiring distros.

I doubt if there is a windows95 box still running in a position to be 
compromised that hasn't already been.

>> I, and probably most of the list members
>> here, understand the experimental nature of fedora and that it simply is
>> not suitable for anything that needs to be reliable over long periods of
>> time.
> 
> I'm confused, your arguments were all based otherwise.

My understanding comes from experience that is not reflected in fedora 
PR material.  I'd like a little more truth in advertising for new users.

>> However, I don't think everyone who has installed fedora
>> understands that or the dangers of continuing to run any software beyond
>>   the time it is supported with security updates.
> 
> I don't know what anyone can do about that? Make people agree to an
> EULA that says they must upgrade every cycle?

Backport update patches or force it to shut down.  Otherwise it is a 
public danger.

>> It
>> makes sense just because of the difficulty of keeping the installation
>> up to date over the life of a machine.
> 
> It's not difficult. It's inconvenient for _some_ - not sure what percentage.

Let's qualify that 'not difficult' statement.  How much would you charge 
to do this for me over the next 5 years?

>> Fedora isn't the only disto in
>> this shape but it is probably one of the most popular with one of the
>> most difficult upgrade paths.
> 
> Again, you're talking about Fedora upgrade paths in a thread about
> SELinux. We can't have a constructive discussion if you want to argue
> two different issues at the same time.

Security isn't a single thing so it doesn't make sense to discuss on 
piece out of context.  I'm arguing that updates are your first line of 
defense and anything that makes your updates slower or less likely hurts 
more than SELinux can help.

>> I wouldn't be surprised if there are
>> still large numbers of FC1 through FC5 installations in use
> 
> A majority of those would be lazy/cheap/lying hosting companies who
> just throw Fedora on machines and then don't update them

I'd guess more normal end users, but in the hosting company case, how 
much will break if they update?  Would you trust a version upgrade on a 
fedora box with customers arbitrary applications?

>> because the
>> currently supported versions don't ensure (or even suggest) backwards
>> compatibility, in place upgrades, or even a convenient way to back out
>> to your previous version if you try an upgrade and find that it doesnt'
>> work with your hardware or applications.
> 
> 
> That's all true. But again, has little to do with the topic at hand.

If the topic at hand is security, it has everything to do with it.

> It isn't a technically trivial problem to get fast paced moving
> software to revert to any previous state, far less to do that
> reliably. If you're interesting a SIG to solve this problem, I don't
> think you will get any resistance. However, for a lot of the people
> doing the actual work, they don't seem to consider this a high
> priority problem, I myself don't.

I agree that this is probably hopeless for Linux because it isn't a 
priority.  Solaris has always gone to extremes about maintaining 
backwards compatibility and not breaking working applications so maybe 
the new distros like nexenta that use the opensolaris kernel will 
continue this history.

-- 
   Les Mikesell
    lesmikesell at gmail.com

More information about the fedora-list mailing list