From: Adam Flinton 

Geo. wrote:

> "Adam Flinton"  wrote in message
> news:403efec9$1{at}w3.nls.net...
>
>
>>Surely what's in the distro is up to the distro? I.e. RH is looking to
>>bundle the ObjectWeb stuff (Jonas, Joram et al). It's not up to the
>>Jonas people to bundle Jonas into RH it's up to RH.
>
>
> Does Linus contribute to the RH product? If he screws up and codes something
> that's exploitable don't you consider that a RH exploit if it affects RH?
>

Yes I do. It is both a RH exploit & a linux one. Being a linux one it
is also a mandrake one, a Suse/Novell one, a debian one, a knoppix one, a
slackware one etc.etc.etc.

That would be an example of a "linux" exploit. That would be the
sort of exploit Rich should have quoted had he actually been talking about
"linux" & not simply dissembling as usual.

A problem with GAIM is not. It is a vuln with GAIM. I did get an update via
mandrake. I use GAIM on windows too but I have yet to get an update via MS.

> Or are you trying to say RH is responsible for nothing at all, not even the
> core of the OS?

No. How do you get to that from:

"Surely what's in the distro is up to the distro? I.e. RH is looking
to bundle the ObjectWeb stuff (Jonas, Joram et al). It's not up to the
Jonas people to bundle Jonas into RH it's up to RH."

?????

I'm saying that what is in the distro is up to the distro maker, just as
what is in Windows is up to MS. You have a base set of stuff required for
linux to work (kernel & some drivers) & that after that it's up to
the distro maker. But a given distro maker builds on top of linux it is not
linux per se.

So as an example the fact that GAIM is in RH but not in a floppy disk dist
for use as a firewall/router is up to the relative distro makers.

If RH put Jonas into RH then that is RH'es choice & not the Jonas
people's choice.

Let's say I write a great app. I make it OSS. If RH shove it into their
distrib or Mandrake do or Debian do then that's up to them. That's the
whole point of putting together a distribution.


> I mean by your reasoning if someone buys RH there is nobody
> they can hold responsible for providing patches? They just have to hope
> someone releases a patch and that they happen upon it somewhere on the web?
>

No.

Firstly define responsibility within this context. What I mean by this is
that the people building & running the systems/distributions are
responsible because they too use the system. e.g. you say "If you get
it for free then no sale ergo no product ergo etc" & yet Debian
provide patches etc. Mandrake Download edition is patched etc.etc. Download
the Mandrake ISO'es for free, install & the first thing it does it ask
if you want if to go off & pull down any updates. othen get an Icon
with "Mandrake Update" on it. Click on it & once more it will
update the system & apply the patches. This is a "for free"
distrib. Fedora (the rh free dist) includes "up2date" &
patches are distrib'ed using that (or you can d/l the patches from RH
yourself).

Secondly if you look at the MS EULA you can't hold em responsible for
anything so while MS do provide patches it's mostly because they would be
dead in the water commerically w/o them. But if you mean "legally
responsible" then MS ain't. If you want me to quote the relevant part
of the EULA's then I will but I think you know those sections already.

Thirdly the "product" can be "discontinued" at any
time. Who are you going to go for for patches to NT4? With linux
"responsible" people are still maintaining the 2.2 & 2.0 tree
even though the majority are looking at moving to 2.6.

e.g.:

http://www.kernel.org/

The latest stable version of the Linux kernel is:       2.6.3   2004-02-18
04:36 UTC       F       V       VI      C       Changelog
The latest prepatch for the stable Linux kernel tree is:        2.6.4-rc1
2004-02-27 23:17 UTC            V               C       Changelog
The latest snapshot for the stable Linux kernel tree is:        2.6.3-bk9
2004-02-27 12:39 UTC            V       VI              Changelog
The latest 2.4 version of the Linux kernel is:          2.4.25  2004-02-18
13:37 UTC       F       V       VI      C       Changelog
The latest prepatch for the 2.4 Linux kernel tree is:   2.4.26-pre1
2004-02-25 18:05 UTC            V               C       Changelog
The latest 2.2 version of the Linux kernel is:          2.2.26  2004-02-25
00:28 UTC       F       V                       Changelog
The latest 2.0 version of the Linux kernel is:          2.0.40  2004-02-08
07:13 UTC       F       V       VI              Changelog
The latest -mm patch to the stable Linux kernels is:    2.6.3-mm4
2004-02-26 02:19 UTC            V                       Changelog


So the "responsible" linux people are still maintaining even the
2.0 kernel whereas if you're running NT4 you're SOL.

So is MS being "irresponsible"?

I repeat, who will you go to for patches for NT4? Will MS provide any
patches for NT4?

>>Hummm. So I want to serve web pages. Name the competing
"solutions" to
>>my need.
>
>
> Netlink, Digix, etc..
>

Or a PDA, or a mainframe. I made no mention of serving to the net. It could
be a closed network where you're serving internal info/web pages.

>
>>So a little eden fan free with linux or Win2K is the same as a honking
>>great Unix box?
>
>
> If all you want to do is something both boxes can do and the scale of what
> you want to do is within the capability range of both boxes, yes.
>
> Isn't this exactly what is happening today, an ISP can buy a bunch of little
> servers, or dual cpu rack mounts, or an AS400 running virtual Linux
> partitions. They do compete with each other for some requirements.
>

Indeed.


>
>>The weakest code **you have installed/loaded**. No IIS, no IIS hacks
>>possible etc.
>
>
> Your logic is because you bought RH and all you use it for is to hold the
> books from falling off the edge of your bookshelf that it's totally secure.
> How the hell am I supposed to reason with that logic? Your usage (or lack of
> it) actually is secure in that case but at the same time your logic is badly
> flawed wrt security of the product.
>

No it's a matter of loading what you need. If you have no need for anon ftp
would you load it & expose it to the net? If you have no need of GAIM
would you fire it up, get some accounts & leave it on even if you
aren't using it?

A Large distrib is a collection of software where I doubt anyone ever uses
anything like all of it. I have my favorite text editors & thus tend to
load them. However that might be 1 or 2 vs a possible 9 or 10  I also tend
to load both PGSQL & MySql coz I like to see how both work against app
servers etc. However If I was running a production machine it would have
one or the other but not both.



>
>
>>Hummm...is this:
>>
>>http://www.flipstartpc.com/
>>
>>A PC?
>>
>>Or is it a model car?
>
>
> It's a PC, but this is not http://wearcam.org/wristcam/
>

Why? Just scale? After all this is to an eden what an eden is to a large unix box.

If the box itself is designed as single/constained use (e.g. a vidphone or
a router running linux) then OK but there is no reason why a wristwatch per
se can't be a fully functional PC. Take these USB storage watches as an
example. You can get 256MB on your wrist. Add a low power cpu etc. & is
it still a model car?

Heck the PC was a toy.

Adam

> Geo.
>
>

--- BBBS/NT v4.01 Flag-5