?

Log in

Critical or Not - Ulrich Drepper [entries|archive|friends|userinfo]
Ulrich Drepper

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Critical or Not [Jun. 30th, 2006|04:51 pm]
Ulrich Drepper
One thing many people apparently don’t understand is that the same reported security problem can have different severity levels for different distributions. This is why one distribution might have to issue a security update right away when the vulnerability is made public while others can wait.

RHEL (especially RHEL4) has many security features which can alleviate many problems. Critical problems suddenly are not critical anymore since the security features will prevent the remote exploit. This is why we spent so much time on the security features.

So, next time you see somebody complain that a RHEL update for a vulnerability is not released in time make sure Red Hat does not classify the bug differently than your other distribution. Given that we are not shipping all kinds of junk and we can classify some vulnerabilities as less severe we can focus on the inevitable remaining problems.
linkReply

Comments:
From: ext_28460
2007-01-15 12:44 am (UTC)

Marketing

RedHat is miles ahead of basically all other Operating Systems in this area, let alone other Linux distros... But almost nobody knows about this advantage outside the RH users camp; not even the majority of skilled *nix developers...

Why does it need to be this way? Or is RedHat's sole marketing strategy encouraging it's employees to blog on LJ?
(Reply) (Thread)