> From: "Geo." 
> "Adam Flinton"  wrote in message
> news:909344.592d73{at}harborwebs.com...
>> The key difference is what is known legally as the "master servant
>> relationship" i.e. the MS person is normally directed to
write s/w for MS
> (i.e.
>> MS is the master & the bod is the servant). Whereas with OSS people
> scratch
>> their own itch.
> You aren't going to win this argument by redefining things so OSS doesn't
> count. 
> From my point of view, MS is one group, OSS is another. There, I can
> redefine so it works for me. :)

So which group is Oracle in? SAP? Sybase? BEA? etc.etc.

> Point is, MS makes a product called Windows, it doesn't include encarta
> which is a totally separate product from the same group, so the group is
> irrelevant to this discussion. What matters is what is the product. Windows
> is a bunch of stuff grouped under the windows name, it's a product. Likewise
> RedHat is a bunch of stuff grouped under the RedHat Linux product name.

Yup no arg form me there. My problem is not with a direct RH vs Windows (as
"products" comparison it's the Windows vs "linux" one
where linux can fit onto a floppy or onto a set of CD'es/DVD.

The diff between the 2 sizes is the 3'rd party products bundled as part of
the "product".

> Again SELinux is another bunch of stuff grouped under another product name.
> So an exploit for RHLinux may or may not be an exploit for SELinux, that's
> because they are different products.

Indeed. However both are "linux". As an example MS could produce
a special "MS linux" (or under another comp's name) where the
bundle is both huge & specially chosen to include buggy/vulnerable 3'rd
party software specifically so it can go "oooh look at all the holes
in "linux"".


> Just because you happen to call them both Linux doesn't mean they are the
> same thing. That's why I keep saying forget OS, forget the least common
> denominator approach and look at this as a product issue.

Yes & no. I am happy to do both. I like to know if the OS I've
installed is itself vulnerable. i.e. take both to be the "what you
need & only what you need/must install". i.e. no pinball in WinXP
& no mysql or apache or whatever in linux. e.g. the recent memmap thing
is a "linux" vulnerability. The DCOM thing is a Windows one etc.

> There are more
> secure versions of Linux than Red Hat, do you agree with that? Do you
> consider SELinux to be a more secure version of Linux than Red Hat? How can
> that be if you aren't comparing products instead of the common denominator?

Again though you say linux where you might actually be comparing simply the
3'rd party apps bundled with the OS. i.e. a minidist is the most secure on
the whole coz it simply doesn't have the wealth of 3'rd party apps that say
Novell, or RH or Mandrake linux have.

w/o going into details I was looking at a secure linux for a set of
machines based on Gentoo with SELinux on top. The first job is actually
defining what "services" were required & to then include the
min amount of s/w to provide them. e.g. ssh + Oracle or ssh + an app server
or ssh + dns/dhcp (ddns).

OK so ssh is a common theme & thus a hole in ssh is a hole per se but
by having a "built to order" dist including only the stuff you
need then it can be very secure (& small).

Adam




Adam


--- BBBS/NT v4.01 Flag-5