I noticed the recent news of Red Hat's intent to partner and collaborate with the CentOS Project and was wondering if SSG will branch on CentOS content? From time to time folks have asked about running SCAP content on the CentOS platform. Could CentOS leverage the shared directory? I am just throwing this out to see the interest level.
http://www.redhat.com/about/news/press-archive/2014/1/red-hat-and-centos-joi n-forces
Luis Nunez J83B - Industry Collaboration The MITRE Corporation www.mitre.org
Not sure there's a lot of divergence, is there?
Leam
On Thu, Jan 9, 2014 at 2:48 PM, Nunez, Luis K lnunez@mitre.org wrote:
I noticed the recent news of Red Hat's intent to partner and collaborate with the CentOS Project and was wondering if SSG will branch on CentOS content? From time to time folks have asked about running SCAP content on the CentOS platform. Could CentOS leverage the shared directory? I am just throwing this out to see the interest level.
http://www.redhat.com/about/news/press-archive/2014/1/red-hat-and-centos-joi n-forces
Luis Nunez J83B - Industry Collaboration The MITRE Corporation www.mitre.org
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 1/9/14, 2:48 PM, Nunez, Luis K wrote:
I noticed the recent news of Red Hat's intent to partner and collaborate with the CentOS Project and was wondering if SSG will branch on CentOS content? From time to time folks have asked about running SCAP content on the CentOS platform. Could CentOS leverage the shared directory? I am just throwing this out to see the interest level.
http://www.redhat.com/about/news/press-archive/2014/1/red-hat-and-centos-joi n-forces
A good FAQ on the announcement is available at: http://community.redhat.com/centos-faq/
Ultimately, things will be broken down as: - Fedora: Upstream code development, releasing in 6mo cycles, nightly builds, very bleeding edge
- CentOS: At some point, open source upstream /code/ becomes an upstream /project/ (e.g. OpenStack.org --> RDO). Upstream project developers -- such as those within the RDO community -- need a relatively stable platform with selectively updated components to develop against. The /project/ communities simply can not have nightly changes to their operating system. CentOS will fill the gap between Fedora and RHEL; meaning CentOS will become the free operating system that mirrors(ish) RHEL for use by open source project developers. CentOS still remains a community, non-supported, non-government certified platform. No STIG, no common criteria, no APL, no FIPS, and no endorsement what so ever from Red Hat as a platform for customers, partners, OEMs, or ISVs to utilize.
- RHEL: Remains the same.
<personal opinion> In many ways, Red Hat has lost ground within the open source technology development space to distributions like Ubuntu. Ubuntu provides a moderately seamless migration from their free/unsupported release to their commercial long term support variant. No such migration path exists for Red Hat operating systems; the variance between Fedora and RHEL is simply to great to develop on Fedora and assume everything will 'just work' in RHEL.
One could also argue that Fedora has lost its way and no longer moves fast enough with upstream technologies. By working closer with the CentOS community, we free Fedora to align closer with upstream and allow CentOS to be a free, stableish community development platform. Because CentOS tracks closely(ish) to RHEL, community developers now have an onramp to RHEL if/as they decide to commercialize their technologies.
CentOS still has a slew of issues, which make it an incredibly poor choice for enterprise and gov deployments: - Absolutely no support - Absolutely no security certifications - Not an approved DoD CIO or DISA FSO operating system - Questionable, if any, OEM/ISV integration - Expensive to run alongside RHEL (see IDC report) - Lack of 0-day responses to security problems
CentOS is a *community* development platform for things like RDO. For ISVs, integrators, and customers, RHEL is where development and certification should be performed.
</personal opinion>
Since CentOS really shouldn't be used on any government network, is there really a need for SCAP content? Creating such would seem to endorse the usage of CentOS, which really shouldn't be done.
On Thu, Jan 9, 2014 at 3:34 PM, Shawn Wells shawn@redhat.com wrote:
On 1/9/14, 2:48 PM, Nunez, Luis K wrote:
I noticed the recent news of Red Hat's intent to partner and collaborate with the CentOS Project and was wondering if SSG will branch on CentOS content? From time to time folks have asked about running SCAP content on the CentOS platform. Could CentOS leverage the shared directory? I am just throwing this out to see the interest level.
<snip...>
Since CentOS really shouldn't be used on any government network, is there really a need for SCAP content? Creating such would seem to endorse the usage of CentOS, which really shouldn't be done.
While there is government-specific content, SSG is an open community that develops and provides content for others to consume, use, and deploy, to their betterment, not just the government :) I would hope SSG would embrace patches that provide similar benefits on alternative platforms and hope the community members would not take that as any form of endorsement. Besides, isn't Fedora already included?
That said, I completely understand the project's focus on RHEL and the fact that release testing etc all happen on RHEL.
Thanks, --Spencer
scap-security-guide@lists.fedorahosted.org
-
leam hall -
Nunez, Luis K -
Shawn Wells -
Spencer Shimko