Thursday, August 6, 2009

A Perfect Illustration of Why I Now Choose Scientific Linux Over CentOS

The following comment was posted in response to my business oriented article about the CentOS situation for O'Reilly Broadcast. It perfectly illustrates why I have made the decision I did:




I've been running CentOS as a file/intranet server since 5.0 was released. I started becoming concerned during the protracted period that it took to get 5.3 out. Not about the "lateness" in getting 5.3 out, but the complete lack of security updates in the interim for my 5.2 system. This "No updates available" went on for over a month. My version of Firefox trailed behind Red Hat's by two versions.

We can go back and forth about how many developers CentOS has vs. Scientific Linux. To me, that is academic if the Scientific Linux developers get their distro out several weeks in advance of CentOS, and more importantly, provide more timely security patches. If I'm not mistaken, Scientific Linux also supports older "dot" releases, such as 5.1, 5.2, etc., while CentOS does not. Not an issue for me, but it does indicate a little more thoroughness on the part of the Scientific Linux developers, few in number as they may be.




This wasn't a hasty decision. It wasn't made in a vacuum. Firefox wasn't the reason I talked about late patches, only the most recent example.

I wish the CentOS project and its developers well. Maybe in the future the CentOS developers can correct the issues that I've raised and I will reconsider the distro. They would not only need to get security patches out on a timely bases but they would also need some sort of institutional backing to insure their future before I will consider recommending them again.

14 comments:

RickRussellTX said...

I have to ask -- if the commenter is mainly concerned with using CentOS as a file/intranet server, isn't stability and thorough testing of patches more important than release speed?

The raison d'etre of intranet services is that they are (1) internal and not exposed to the general internet and (2) must offer maximal uptime and reliability.

Security is always important, but intranet services would seem to be a case where security and cutting-edge releases are not the highest priority.

I'm not making an argument for or against CentOS or SL, it just seems to me if that if the concern about patch release rate or Firefox version is misplaced for this type of service. CentOS is designed to be a free, highly stable fork of RHEL, and staying lockstep with RHEL does not necessarily meet that mandate.

Caitlyn Martin said...

The problem with CentOS isn't Firefox. It's been a failure to get timely patches out on a consistent basis, ANY patches, for the past year or more.

RHEL is a highly stable enterprise OS. Scientific Linux delays patches 24-48 hours to test what Red Hat does for extra insurance. CentOS published policy is 24-72 hours. If they met that policy I would agree with you. As was pointed out, at times they have been months late. That is not acceptable.

Intranet servers are one example used in the comment. My interest is all my clients and all types of servers, not just intranet servers. I would also point out that firewalls are not perfect and that vulnerabilities in firewall software are discovered all the time. Even a server behind a firewall such as an intranet server, IMNSHO, needs to have all known vulnerabilities closed as soon as possible.

There is nothing cutting edge about Red Hat Enterprise Linux. Their releases are very conservative and often of older software. They patch vulnerabilities often without moving to a more recent version. Your statement about "staying in lockstep with RHEL" implies that Red Hat Enterprise Linux doesn't meet the goal of maximizing stability and reliability. In my experience nothing could be further from the truth.

United against said...

I now use arch linux so I do not have to worry about this problem. When ever an update comes out I get to install it. I do not have to wait until the distribution decides to release it. I am more and more appreciative of this model.

Caitlyn Martin said...

@United: You may want to read my piece on O'Reilly to understand why Arch Linux is not suitable for business. See: http://broadcast.oreilly.com/2009/08/the-future-of-centos-and-crite.html I also seriously dislike the rolling release model. It's a nightmare to troubleshoot problems when there is no fixed reference point, no known good release point to work from.

Sorry, Arch Linux is not for me, either personally or professionally.

Robby said...

Hi Caitlyn, I think you've missed out on one of the best Linux distro's to date - Slackware. Not only is it reliable and stable, but patches are released timeously and for a no. of older releases ( a recent patch for fetchmail goes back all the way to Slackware 8.1 which is from many years ago ). Although I like Centos and have not had any issues with it, none of the problems you raise apply to Slackware making it the perfect dsitro for you ( and others ).
Regards, Robby

Caitlyn Martin said...

Missed out? Slackware was the second distro I tried, back in 1996 or so. I've used it on and off ever since. Where do you get the idea that I don't know or use Slackware?

Having said that, Slackware is not suitable for business for other reasons. First, there is no PAM or SELinux implementation. In an enterprise environment where multiple authentication methods are used PAM is absolutely essential. Second, it's maintained by a small group of volunteers. See the story on O'Reilly above on why that just won't cut it in the business world. It also makes Slackware impossible to sell to IT Managers.

Finally, until Slackware has sane and automated dependency checking it really isn't a modern distro, is it? The extra work involved really puts me off.

Robby said...

@Caitlyn, I beg to differ with you on a number of points. You may have used Slackware way back but you didn't mention this fact in your article. In addition, if you haven't used it recently, then you'll be unaware that while Slackware's legendary security and reliability remains, its packaged versions of software are now well up to date.

There appears to often be differences between North America and the rest of the world in the way software is used. Eg. corporate Linux penetration in the US appears to lag a lot based on articles coming out of the US. I've been using Slackware in the business space for many years for both small and big companies. Slackware's small dev team or lack of business backing has never been an issue, and I doubt it will be in the foreseeable future. Second, the lack of PAM or SElinux has never been an issue for me or my clients ( around 340 installed boxes in the field at the moment for just myself, not to mention my partners ). Slackware provides a fairly locked down system by default and it doesn't take much more to make it bulletproof. PAM just doesn't feature on my requirements list ... Lastly, Slackware's lack of dependency tracking etc. has a. never been an issue for Slackers, b. is an overblown problem for starters and c. there are some tools that provide dependency tracking if you really need it.

To each their own, but I fail to see why Slackware should be deemed any poorer at minimum than distro's like Centos, Debian or Mandriva. Considering that these are often used in business areas, that would mean Slackware is in fact better suited for business use ( by one of the main metrics of your article - patch release timing ).

At the end of the day, you have choice which is great. If a particular distro's feature set, policies or management is not what you want, you can always change.

United against said...

I wanted to say that you are right about Arch not being right for business or a server. I chose this because I got sick of waiting for updates. Some times to get some thing updated I had to wait until they released the newest version and use the cd to upgrade. Like you before the next update their would be a slow down on what was released and I did not like waiting so this is why I went for a rolling release. For me this is great and I have had only one problem and that was with xserver 1.6 but a lot of people had problems with this.

I appreciate your articles. You do not just complain about a problem and leave it at that. You list what went wrong and why another OS was better in these area's. I think that some times this is the only way to get through to the developers. Some times they will just justify why things are the way they are. If they do this they will just lose more and more people. If they take the opportunity to make things better then things will change. Like OpenSUSE was doing releases to often and thus errors would go from one to the other with out being fixed. They decided to extend the release cycle and thus hopefully fix some of these problems. The KDE team is listening more and more and making changes that people want to see rather then going off in their own direction.

Like I said it is only by people putting out things that they will get better. Those that do not take action will lose more and more people. Some people even tell people to use other distributions in forums rather then helping those users having problems. These distributions will some day no longer be there. When people get this treatment they will either go back to Windows or just go to another Linux distribution. I hope that CentOS will make changes for the better but if not people have options to go else where.

Caitlyn Martin said...

First, I have Slackware 13rc2 on a machine now. I wrote a review for O'Reilly of Slackware 12.1. I have used it recently. I am very aware of Slackware's reliability and performance. I also think you have to be insane to consider using it in the enterprise. PAM isn't an issue? How on earth do you correctly handle multiple authentication schemes? I have been part of a team supporting literally thousands of servers and I have supported a U.S. government agency that uses Linux. Try and explain, in that environment, why the level of security provided by SELinux isn't needed.

I don't believe the U.S. is behind in Linux adoption. Perhaps where you are IT managers will consider something without corporate support. In the U.S. that's seen as an insurance policy at the very least. If 24x7 commercial support isn't available it isn't used, period. If I tried to sell Slackware here I wouldn't get the time of day.

Neither Debian nor Mandriva have any significant market share in the enterprise in North America. Mandriva has had financial problems, Debian lacks commercial support and also doesn't have scheduled releases. Neither would be considered terribly acceptable either.

CentOS and Slackware are run by small groups of volunteers. Again, not acceptable to business.

Again, my article is written from a business perspective and, of course, since I am in the U.S. I go by what business does here.

Robby said...

Caitlin, your points are all valid to varying degrees. I was just pointing out that Slackware would be a more suitable choice than Centos based on the primary criteria of your article: "lack of security updates" and "get security patches out on a timely bases". Your article also barely mentioned "business" ( only in subtitle section ) therefore you can forgive my sway towards Slackware ( my personal opinion ) for certain installations.

I use RHEL/SLES on a daily basis for those clients that require "backing" and "support". Both RedHat and Novell provide really good support which can't be underestimated in many environments.

Your alternative, SciLinux, does not however provide anything beyond Centos ( except in terms of timely updates/backing ) and in my opinion, "backing" in this case does not supply the required level of business draw and support that you allude to in your last response. Especially for non-US folk.

PAM is not an issue when you don't need auth. SElinux is a great add-on no doubt, yet even in government ( in the US ) we continuously hear of cases of virus infection and network shutdowns most probably due to Windows issues. Perhaps you can enlighten the rest of us ( yes there is another world out there beyond the US : ) ) why many US government agencies are still using the most insecure OS on the planet.

Per the first comment, I'm not making an argument for or against Centos vs SL. SL certainly has the lead there and the choice is yours. However, in a business environment, I believe that only RH, Novell and Canonical, as distro vendors, have the levels of backing and support that are required/expected by Big Business. SL may get there at some point but it's not there yet.

And yes, I understand you are writing for the US market, but your blog may be read world-wide so you should take that into consideration.

Caitlyn Martin said...

@Robby: This post wasn't meant to be read in isolation. It referred to and linked back to my article for O'Reilly Broadcast about why I no longer recommend CentOS for business use. It also followed up on a previous post here than also linked to O'Reilly.

Regarding Scientific Linux, if you had read that O'Reilly article you'd have a better context for your comments. You'd know that I agree with you completely about RHEL, SLES, and Ubuntu LTS. What I wrote there was that, particularly in the current economic environment, there are some businesses and non-profits who cannot or will not pay for software subscriptions. I also wrote that many companies are using RHEL on production servers but using CentOS on development machines that aren't mission critical.

I also wrote about how Scientific Linux is supported by universities and laboratories all over the world who are, in turn, supported by major Western governments. That includes Fermilab, which is part of the U.S. Department of Energy, and CERN, the huge European nuclear laboratory in Switzerland which has E.U. backing. Certainly that is far more significant than a small group of volunteers, which is what CentOS is. Had you read that part of my piece and followed the links I doubt you would have written what you did about SL.

I will never understand why the U.S. government does some of the things it does so there is no way I can explain it.

DIE said...

Robby:

Give it a rest. Slackware is dead.

The creator won't even listen to reason. So grow a pair and move on.

Microsoft Windows is secure if a properly trained individual is at the helm.

For instances if you are interested in security take a look at the following link and learn:
http://iase.disa.mil/stigs/stig/index.html


So what does the government use?
http://www.disa.mil/contracts/guide/bpa/bpa_redhatlinux.html

The fact is you need to consider security across many levels. OS, File-System and network. Yes, you always need to consider it. That is what separates professionals from amateurs.

RedHat is the rooster of the hen house.

They have the certifications.
http://www.redhat.com/solutions/government/commoncriteria/

JMMR said...

What are your thoughts on Fermi Linux? I just read about it today and found out that it is a hardened version of Scientific Linux. Unfortunately they seem to be behind as they only have version 5.5. But never the less, I was wondering if you have given it a try?

Caitlyn Martin said...

I've used Scientific Linux and I do recommend it. I have never tried the Fermi Linux variant.