Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> If you work in an industry or corporation that is highly security conscious, i.e. that prizes risk mitigation over using the cutting edge or getting to market first above all else, then you won't be able to use nightlies.

> Security policy will dictate that you use use a stable versioned release, that the release be vetted through scripts/STIGs, and that the release be installed by Security+ certified and blessed admins.

I'd be quite surprised if your "security policy" has all of that and yet doesn't have a requirement for "commercial support" (i.e., Red Hat Enterprise Linux).

Besides, if $employer "is highly security conscious", your machines are almost certainly airgapped and getting their updates from a Satellite server that you're already paying Red Hat for.

AFAIK, CentOS is not now -- nor has it ever been -- "certified" for anything. Did that change at some point without me noticing?



It is (or was) definitely possible to be security conscious and use an Open Source OS:

* You can use reposync to update a copy of EPEL, PowerTools, etc.

* You can use yum -q deplist PACKAGENAME to list dependencies

* You can copy the necessary RPMs to a DMZ and apply security scans/tests, then take them to your boxes and install them

Also, any corporation or organization like I'm talking about has internal approval/certification of software as usable on their networks. The Army formalized this as the CoN, Certificate of Networthiness.


Pretty sure it did. CentOS is used by the government for classified areas. Though it might be phased out now after this change.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: