I'm sorry, but this article is almost completely oblivious of the way security issues are found and quashed within Free and Open Source software.

Unlike proprietary software, typically the flaws are found by the developers themselves and the fixes rolled into the canonical release (the "upstream" as distro vendors call it), or the discoverers of the vulnerability include the patch in their advisory. The Debian project is also a major source of security fixes for all distros. In my experience, the vendors rarely create the patch themselves - relying instead upon the above-defined "community" and their mailing lists to do so.

The value that the vendors add is creating an easy-to-install, tested, binary packages, and sometimes, in the case of more conservative distros such as Red Hat and Debian, "backporting" the fix from the current version to older versions of packages shipped (so as to reduce the risk of the update package causing breakages elsewhere in the system - a la Microsoft).

Red Hat are already charging for subscriptions to their convenient Red Hat Network service, though it's possible to get their errata (arguably) less conveniently from ftp.redhat.com and its mirrors for free. I would not be surprised if the update /BINARIES/ eventually disappeared from ftp.redhat.com, but they'd almost certainly have to continue publically distributing the individual patches and build instructions in order to comply with the terms of the GPL. If they don't, they lose their right to distribute all GPL code (which would be fatal for a company like Red Hat). It is conceivable that they could refrain from doing so for non-GPL packages such as XFree86 and Apache.

As it happens, the most convenient way for Red Hat to distribute the patches and build instructions is probably in the form of their src.rpms, which can be easily rebuilt to produce binary packages, though some users will be wary of doing this and will WANT to pay for access to the "official" binary updates. Also, it is quite workable for large-ish organisations or specialist consultancies to take the original distro-supplied source packages and the community-supplied patches and use them to create new binary update packages independent of the distro vendors.

Finally, if you carefully examine the pricing of Red Hat's Enterprise releases, the software still costs nothing - the costs are entirely for access to the Red Hat Network and, optionally, individual support. Red Hat have not dropped their desktop distro - they still offer RHEL WS (workstation). Red Hat are also quite open to admit that they'll discount the RHN and support pricing for large (i.e. profitable and probably more knowledgable) customers.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/200/23911#23911