An Alternate View of the Future

[Counterspy]

http://ben.reser.org/rants/invisible.cgi?m...&year=2003&t=00

 

Counterspy

[Guest blackstripe]

Interesting article. I think the author has a point when he mentions something like a nonprofit distro of Linux. For one, it would be nice to not have to rely on companies for a modified version of software (like some distros that change the directory structure for KDE). Energy could also be more focused on generating a better product in the beginning rather than modifying it later for specific purposes. This would result in faster development times and better software. And if someone wanted specific patches for his kernel (say optimizations for Intel CPUs), he could just download a patch. Combine all this with an easy install process, and we could have a winning product in our hands.

[Guest JaseP]

Mandrake has contributed lots of great stuff to the Linux community. One such useful tool is harddrake, which is a very useful partition setup utility. There are others as well. To count Mandrake out is counterproductive. I personally would rather see more cooperation between them and other distributions (like SuSE, for example), but I love Mandrake for its relative simplicity in installation and configuration. Is it perfect? No. But it's a very good distro. And NO distro is perfect. RedHat changes way too many things. SuSE is a little more difficult to get running,... etc.

[ral]

"Part of the problem with security is Mandrake's attitude about it. The priority is on the current version and on cooker. Not on updates. The maintainers for the packages don't maintain their packages. They toss them up there and forget about them once the version releases for the most part. No matter how dire the security threat, developers never put the priority on those updates. Nor does the Quality Assurance department.

 

The updates that get produced are supposed to be reviewed by QA. Often QA is slow or flat out too busy working on cooker to bother with security updates. Often updates get pushed out without QA approval because they've simply waited far too long and really need to be released. Even if QA does do any testing, they severely slow down the update release cycle. Opening more of a window for crackers to gain access to your machine running Mandrake.

 

Fortunately, there is a group of volunteers that do some testing, the Mandrake Security Team. So at least your updates are usually well tested. Again it is the community picking up the slack and doing the hard work to get updates done.

 

It's not just producing the updates themselves. Mandrake makes available downloads of ISOs. The ISOs contain the public keys that are used to validate the security updates that you download. Unfortunately, those ISOs are not signed with any key. So the ISOs that you download from all of the mirrors, which Mandrake does not control, could have modified versions of the ISO with an extra key. If someone can modify an ISO they can add an extra package. So now every Mandrake user who downloads ISOs is at risk for a trojan horse update. After pointing this out to Mandrake on many occsions, it's still not been corrected. The MNF ISO does have its md5sum signed, but most users wouldn't even be aware it was there. Mandrake has made no attempt to educate their users as to proper verification techniques for ensuring the ISOs have not been tampered with. Further, signing the MD5 sum means you are relying on the security of the MD5 hash. Which has already been shown to be vulnerable to attack in the past.

 

Finally, Mandrake has produced MNF and appears to be hinting that they will be charging for security updates for it. That's right folks. They will be charging you for updates to a firewall. This is exactly the type "security for sale" policy that Vincent complained about on his website with regards to ISC's BIND (the DNS server that most everyone runs). Yet here is Mandrake engaging in it. This is terribly unfortunate. Attempts to clarify this issue were simply ignored."

 

I don't know how true any of this is, but I was using ML8.2 for five months and ML for 1 month and never updated anything. Was a newbie. Didn't know how.

 

I have been using RH8 for 3 months and have gotten 25+ updates (I am not sure in fact I am updating now grabing 5 new packages... It tells me it needs updates and I grab them).

 

The feeling a I get Mandrake is that I get a great product and am left on my own. Luckily this community is here. RedHat, gives me support (updates) and a very active about trying to make sure that my version is current. I got a free download version. I was impressed. More than happy to fork over the $25 they charge for RH8 over here.