Slashdot Mirror
Red Hat Advanced Server Gets DoD COE Certification
DaveAtFraud writes "CNET is reporting that Red Hat Advanced server has been certified as a 'Common Operating Environment' (COE) when running on an IBM server by the U.S. Department of Defense. Red Hat Advanced Server is the first version of Linux to receive this certification. The certification clears the way for broader use of Linux in governement computer systems. Its interesting to note that the certification effort was made for the more proprietary (and costlier) Red Hat Advanced Server and not the basic Red Hat distribution." This despite the best efforts of certain lobbyists.
could anyone who knows their stuff about redhat tell me the level of security it's got in relation to other distros and OSes ?
Did that hurt so much?
Free Java games for your phone: Tontie, Sokoban
It is near impossible to use most open-source in a cost effective way under those regulations. Give it a read and and then move onto their understanding of software verification.
The whole open-source model just don't fly.
The obvious notion: "Not that I really care about military level security for my home computer, but it would be kind of cool to have."
Why is this even worth noting? Certification efforts aren't especially cheap. If you're going to expend time and resources getting a version of your product certified, why not put the effort into the version that is likeliest to generate enough revenue as a result of the certification to pay for the effort.
After all, while RedHat is in relatively good financial condition, it's not like they have around $40 billion in the bank (unlike some operating system companies). Certifying Advanced Server is a good use of limited resources.
That said, any government security certification is a Good Thing in the commercial marketplace, too - it helps when the engineers need to make a positive case to their PHB's, and gives one more "checklist item" that can get marked in their favor when comparing RH to other vendors.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
I use it on a box to run apps that I developed that our M$ monkeys haven't matched(or can't) match. Mainly a lot of situations where one line of code does what would take several more in M$ (Scheduler vs. cron)
In our case it comes down to services. I work for the Commanding General and all he wants is "services not platforms".
I think maybe that has helped to bring in open source in our little corner of the military more than anything. IM talks about how they are M$ certified blah blah and I just bring out a new app coded in Perl that the green suiters can't live without.
Or better yet create one and let it run on one of my own outside servers and then demo it to them with a "Oh by the way, we need Linux to do this".
It's like heroin, get 'em hooked. They gotta have it. Superior services, not platforms.
As far as it being the more expensive version of RH that's certified, have you seen RH's stock price? You're still saving the military a lot more in the long run by getting the more expensive version.
Read the RH press release here.
I want to drag this out as long as possible. Bring me my protractor.
... isn't that the same certification than the one we scoffed at when Windows 2000 got it?
This program has commited a General Protection Fault and will fire ICBMs at DC. If the problem persists, quit calling Microsoft a monopoly.
Karma whorin' since 1999
Too bad the Navy/Marine Corp already sold their soles to M$ until something like 2007. (Slashdot ran a previous story about it.)
I can find only one relevant page on DISA that pertains to Linux/COE. This page has a link to a draft of COE Compliance Critera for Linux. The information on this page hasn't changed in several months, AFAICT.
So, what's new here? Can anyone point me to a place on DISA that substantiates the claims made by the news.com article? Where is the "real", final COE Compiance Critera for Linux?
In the course of every project, it will become necessary to shoot the scientists and begin production.
Hmmm, good question. A reasonable place to start: Red Hat.
Here's a better link to story, sans linkspam:
http://news.com.com/2102-1001-984202.html
COE? Here's the link to their homepage:
http://diicoe.disa.mil/coe/
Admins! Get your fucking heads out of your asses and check to see if something is linkspam before posting it. This isn't the first time. Someone is making money from the click through.
Fuck them.
You can't download the Advanced Server. Well, ok, you can download all the sources, but the distribution is strictly commercial.
RH Advanced Server has generated some ill-will in our company when we realized the only way to "have a peek" was to shell out 800 buxors. We did that, but the venom dented some people's enthusiasm.
.iso image, under a non-commercial license of some sort? I mean, shit, even Solaris 9 is available for 20 bux as a non-commercial, and 100 bux for commercial license.
Is there a way to get the
Sigged!
And impressive considering the other certified OSes (Solaris, AIX, HPUX, and NT). I first used the Advanced Server a couple of months ago while evaluating some Itanium2s, and I was plesantly suprised. I really like RH's decision to make the Advanced Server their "Enterprise" class distro with about an 18 month release cycle. Makes my job easier (TM).
I never thought I would say this, but I've gotten accustomed to using RH. I was a die hard Debian fan, and in philosophy still am. But when it comes to 3rd party support, and announcements like this, I have to say that RH is the distro right now, and probably will be for some time to come (at least in the US).
For all of the advancements that RH has done for Linux, and in spite of itself, including RPM. I would like for them to get a better package system. Yes, I know theres the apt-rpm or whatever its called, but I'm talking something that already comes with the distro and works on all architectures supported by RH. Someday...
http://tinfoilhat.shmoo.com/
shouldn't exist for its own sake. bleh.
/syle
The Linux kernel you can download from here, the Red Hat distrubution here.
all your base are belong to us...
Have you actually tried this? There's nothing but source RPMs.
Frankly the .NET adds on Slashdot turn my stomache.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
this is actually a pretty big deal for my company right now. we have a java/tomcat/apache application running on a linux box and need to host it for the AF.. we have been struggling to get DISA certification and this will certainly help our cause!
All the source is right there on Red Hat's FTP servers. Download it and build it for yourself.
... this coming when we are nearing war with Iraq and simultaneous with the release of Command and Conquer Generals? Coincidence? I think not!
Disclaimer - I work for the DoD but i don't speak for them.
:)
"Segments" are basically customized software installs for COE. This includes Government produced software (Government Off the Shelf, GOTS) and commercial software (Commercial Off the Shelf, COTS). For instance there is a "segment" that installs Netscape.
These segment installs basically install the software such that it conforms to the COE environment. For example, applications must live in a certain path, follow a certain naming scheme, use certain environment variables to find things, only put user data in a certain place, etc, etc. Think "rpms" or FreeBSD packages - segments are just big tar balls with a standardized format and install scripts
The segments are available via DISA to those programs that are developing COE software - you have to show proof of need and sponsorship (i.e. somebody has to pay somewhere along the way for you to have access). Basically if you are developing applications for the DoD, you can get them - we have to get them through a certain chain of command. I think vendors can get access, but you have to talk to the DISA folks about how that works.
/* ICBM Coordinates 32.78N, 79.93W */
Red Hat, is that a brand of condoms?
There has been a leak that Microsoft internally uses third party Product Management application written in Java that runs in Redhat Linux and the back end database is Oracle 9i.
.Net.
The MS internal audit team has found numerous security hole in Windows XP , SQL Server and
Based on their test the Java, Linux and Oracle database was the most secure and stable.
There was a LOT of bureaucratic inertia standing in the way of this effort inside the DoD. In the office this little initiative started in within ESC, the push for this cost two program managers and one engineer their positions, with extra effort made to derail their careers. Another person had to keep his head down and toe the line for a long time. The replacement for the second program manager was frusterated and constrained and a little scared, having entered the arena of combat by stepping over the corpses of the previous two (figuratively).
The efforts by DISA and Red Hat were started because the little program that those people worked on provided the customer for the product. Sure, there was a lot of "anecdotal" demand for Linux, but this was the first formal acquisition program that was committed to it. The guinea pig, so to speak.
Let's give proper respect to RH (those involved know who he is) at Red Hat, who took that first call and pitched it to his management, even though it looked like all the risk was on Red Hat.
Well, you yankees spend $400 billion of your $79X Billion discretionary budget on Weapons and Military -- a few thousand to RHAT is zero for the US Military.
This is a major achievement for linux, seeing that the only UNIX based system that is DII-COE compliant is solaris. however, anyone who has ever had to read the DII-COE compliance documentation knows that it is ambiguous and very hard to follow. it's easy enough to make any os installation noncompliant by adding in non-DII-COE approved software, or by accidently opening up a port or two on the system.
Me email iz skyewalkerluke at microsoft's free email service.
In a free market economy the consumer has the option of making choices based on any number of factors including price, quality, speed/efficiency, convenience, and just plain old personal taste. However, in any system that shuts out all but the most deep pocketed (and well connected personally) companies then you had better be willing to pay more for less. Furthermore if the weights of the value of a product, service or the company that renders it has moved from the above factors (price, quality, etc) to that of the prettiest proposals, the slick talkingest (reverting to my Yosemite Sam mode) company personnel and the prettiness of words and documents presented then you will inevitably end up with less quality. Competition has then moved completely to the realm of draft picks for the cheerleader squad. It doesn't matter if they do nothing but look pretty and say stupid repetitive cheers... hey! they look pretty.
Bullshit artistry is _THE_ factor in government contracting, as a track record of proven quality does not factor in. Now to be fair, there is the SEI system in place (Systems Engineering and Integration) which mostly inherits from the ISO 9001 system. With five levels (1 - 5, no zero... 1 is granted to anyone whether they can find their ass with either hand or not) you have a criteria of process quality by which you can judge an organization. However, with all the money and obvious effort that went into creating and maintaining this system the Achilles heel is no different than in any other of the "best laid systems and plans" to date. That my friend is the factor of non-compliance to the very processes that define who is granted what level. In other words, they don't use it like it was intended thus rendering it as just another acronym. The ironic thing (but typical in entrenched bureaucracy) is that even though pretty much anyone will admit (if you ask them lightly in the break room over coffee) that the system is rather broken most of those will still puff up with pride (if contractor) if they are a talking head of an organization with higher than SEI Level 2 or will speak with awe and wonder (if government) of an organization with SEI Level 2 or higher.
What I fail to understand is why some will defend this bastardization on the grounds that those organizations with an undeserved SEI level are "Working Towards it." Well, that is good... really, however that is illogical when you look at the fact that the SEI system is not a projection but a grant of current operational status. I somehow doubt that there would be much validity in being granted a good bill of health after being shot 10 times if it was based on the fact that the surgical staff would "Soon fix me up good." No, instead I should be labeled as "In Critical Condition" and any other status be viewed as such. (Hmmm, is THAT what STAT comes from... meaning right NOW? I sure don't know) Back to IT work, if I was the customer then I would not care one damn bit of a system in place that is not consistently applied. The minute it becomes acceptable practice to arbitrarily award the SEI Levels is the same instance that such levels loose their meaning.
Now some might say (who lack working neurons) that this is exactly what happens with capitalist Evil Corporations (TM) yet in reality we see that it is the government itself that creates this system. If the government would place individuals in decision making roles that had both a sense of ethics as well as refined professionalism then you would find that requirements would soon show a dramatic shift towards the quality of the products and services rendered. Networked people are important, to that there is no question. Yet a professional organization will correctly view those connected personnel as one of the many factors involved in doing business. ("Professional" defined here not just as "they get paid to do X" but referring the the ethical and motivational set of standards and practices they employ) Some actually believe that without business developers sliming their way through the system, charming the customer and confusing them when they question bad quality, that there would be no business. Perhaps in some cases there would be less, but there have been entirely too many cases in history (large and small) that show that if there is a need on one end and a supplier on the other than things can work out just fine. The middle man is nothing more than a facilitator of this process... a catylist (sp) but since they themselves do not do any real work they are expendable in reality. Before them business happened at perhaps a slower rate. Without them business adapts. Without those providing the actual product and service than there is nothing to be made of the best of deals. Take out the bullshit artists in the government and soon you will find that their contractual counterparts will begin to vanish as well.
On a different but very much related note: Has anyone ever done a study of the percentage of commercials split up by radio, television and print (including the net) that actually advertise the uniqueness of the product, its advantages over competitors and why you should buy it? Don't get me wrong, I LOVE those beer commercials usually. However when so many commercials have become little sitcoms or tools of the "arteest" then I really fail to see how I as a consumer am supposed to do anything but ignore them and focus on doing research (to include ratings). I rarely see any commercial that is useful however that could just be where I live.
I seek not only to follow in the footsteps of the men of old, I seek the things they sought.
Amusingly all of the COE 'platform compliance' documents are in microsoft word format, including the posix based and linux based drafts...
That is absolutely hilarious, someone give that man a 4, at least
For the record, most govmnt managers are very tight with their program dollars. If there are more cost effective ways of doing something, that is cheaper to operate and maintain (which is a HUGE part of the cost of ownership), then that is an extremely attractive option. BTW, the folks in my shop use many open source tools to do their work, in combination with several proprietary packages. The os versions of the proprietary software is either 1) not mature enough to use, 2) too expensive to maintain in house on a rapidly evolving system with changing mission reqmnts, or 3) not supported by a 3rd party vendor with the right expertise. However, as os solutions mature, you can bet the govmnt will be moving towards that.
End of Line.
A more sane way to manage source packages on production boxes is to have a machine similar to the production boxes but with the developer toolchain installed.
The production boxes will still use debs or rpms but the compilation boxes can easily use something like checkinstall to make packages. This won't work in a potpurri environment but it would be fine if there's lots of identical machines. You mentioned that you wanted only particular software on your machines. With source compilation, you can even specify that the software only have certain options compiled in.
Since the dev toolchains are confined to a few boxes, maintaining those shouldn't be onerous either.
And I should know.
I want to delete my account but Slashdot doesn't allow it.
If the Green Berets use Redhat as part of a war (borg like) body suit... will they still be the Green Beret? Or the Red Hats?
Please take a look at the RH-AS license. Tell me that it does not conflict with GPL, and don't be lying about it. I think it does. It specifically states that I have to buy another copy to put it on another machine. Isn't this against the gpl? I bought the software, it's mine to do with as i please as long as I give out copies of the source along with it?
-- Who is the bigger fool? The fool or the fool who follows him? --
Ah, you see linux has a long history of providing support for the emulation of other popular operating systems such as Dos (dosemu), Windows (wine, technically not an emulator), any number of things via Bochs and VMware, and of course EMACS, which is a really great operating system hampered only by a lousy editor. HTH!
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
http://www.kingsofchaos.com/viewprofile.php?id=237 516i d=237 516
http://www.kingsofchaos.com/viewprofile.php?
Wouldn't that be Blue Hat?
We're using RHAS here at work, and I have to say, to date I've been very unimpressed.
One of the RH sales rep went on about how RH made a lot of kernel modifications so their kernel worked better on MP machines than the default Linux kernel. Fair enough. But they also prefer you use IBM's JDK/JRE, which doesn't work out of the box on MP machines. Not to mention it seems to eat twice the memory of Sun's JDK/JRE.
It also seems that RedHat only supports ext3 in their Advanced Server. It seems to me that anything calling itself an "Advanced Server" should support JFS or ReiserFS. Now, I know that JFS is relatively new, but Reiser has been around long enough and was considered "stable" before ext3 I believe, so I see no reason why it shouldn't be available for me to use without having to pass silly kernel paramaters to get it to show up.
Don't even start me on xinetd. Stuff like "maintaining compatibility with other unix flavors" is important if they want to move AS into big iron shops where Solaris and AIX are the norms.
Does anyone have information on other Linuxes on their way to COE certification? SuSE Enterprise? (Can't think of any other commercial "enterprise/advanced server" type distros...)
Linux: The world's best text-adventure game.
Way to moderate based on personal opinion. Now let's see you prove that it's off-topic.
For anyone that missed it, the original MITRE report is here (this basically started things going) and the rebuttel paper from the Initiative for Software Choice is here.
Again, for those that missed it, the Initiative for Software Choice, though at an 'org' is funded by MS and others of the big software makers.
The response paper goes through quite a bit of trouble to label the GPU as a viral license and the resulting dangers as well as going into how giving 'preferential' treatment to open source will hurt the software industry (monetarily) and the government (by cutting off choice).
They definitely try to do a nice 'turn around'. Open source is hit as not being any more secure than commercial software, that the GPL (specifically) can/will pollute developed works and that the policy change is not only not needed but will deprive the government of choice and the ability to select the best software for a given job.
For completeness, the cnet article is also here.
I have to use this cause I can't afford a real sig...
Why did Red Hat bother? I think NSA's Linux kernel at their website is probably better than anything Red Hat has put together. Seems a waste of time and effort for the DOD to certify something when they already have a distro for DOD purposes. I recommend SELinux for it's kernel security (it's only a kernel, no fluff). Red Hat is probably just looking for another revenue stream and DOD decided to go along with it.
You can go to the binary groups and get a copy.
How do these things relate to Linux? No one's arguing that it isn't a good development environment, but perl runs in Win32 fairly easily.
Have you tried to use perl on windows?
It just isnt the same. Perl proggies typically make heavy use of syscalls such as "fork" and "pipe".
Performance of these under windows is atrocious, not to mention that the whole windows filesystem/exec is shockingly low performance.
(Its not designed to be used in the way perl programs typically use it)
perl is seemingly perfect for linux, with its low forking overhead (comparable to creating a thread or lwp on other OSen) and its I/O subsytem performance.
Programming, even in high level languages, is a totally different ballgame under windows, if you want performance. You have to do it differently.
I don't get it. linux is great for desktop and hardware-oriented things (soundcards, pcmcia cards, etc).
but for the most stable servers running free unix, how can you beat the BSDs? and with CVSup et al, you can be sure you're really really up to date and secure.
I'm a linux user since the 1.x kernels and a freebsd user since maybe 2 yrs ago. these days I use linux on the desktop and bsd on my servers. so I know and love both for the right purpose.
linux has name recognition, but for ultimate stability, I'm just not sure its the right choice here...
--
"It is now safe to switch off your computer."
Neither philosophy prohibits you from charging the first person to get the software, and neither prohibits that person from either charging for or not charging for it. Maybe under the "Free" model you say you are charging for your time (instead of the software, or a license to use it), but that's just semantics - I could reduce the price by a factor of 1000 and hope 1000 people buy it. It would be less likely if it was "open source" or "free", but it's possible. How many people bought CDs from the FSF?
I thought the distinction was more a philosophical one based on *why*: "Open Source" says allowing redistribution of the source to more practical, while "Free" software declares it to be a right. Neither says you have an obligation to hand it down to the next guy. I have the ability to let a friend borrow my Knoppix CDs, I'm not *obligated* to do so at all, money or no money.
From that angle, having free or low-cost copies available is just a statistical side effect of people offering copies because it doesn't cost them much and it makes them feel warm and fuzzy inside, cheap bandwidth, and others caring more about the software itself more than the pretty boxes it might otherwise be available in.
If we were all stuck with 300 bps modems, you, me, ESR and RMS would all be hiking down to the nearest Best Buy for our next software fix. And we'd all be smilin' because the source code would be inside, as long as they were charging less than it would cost for us to download it. (I used to buy boxed Linux distros until they went over $30)
See?
I think you missed the reason why the GPL licence is unique. Not all open-source software licences guarantee you have the right to redistribute source code without limitations. Some open-source licences are ambiguous on what, if any, rights you have to redistribute source code. Other open-source licences try in various ways to restrict your right to redistribute source code.
In contrast, the Gnu General Public License guarantees in clear English that you, as well as everyone else, have the right to redistribute the source code free-of-charge, or if you prefer for no more than the reasonable cost of providing storage media etc.
There is no ambiguity about the meaning of the GPL licence. That's the real benefit of being able to have GPL-licensed free software as opposed to any other type of open-source software licence. I'm not saying one type of licence is better than the other for all purposes. However, if you value your right to redistribute source-code then the GPL licence is probably the best choice when considering which software to use.
Scroogle
Mr. Jones related an incident from "some time back" when IBM Canada
Ltd. of Markham, Ont., ordered some parts from a new supplier in Japan. The
company noted in its order that acceptable quality allowed for 1.5 per cent
defects (a fairly high standard in North America at the time).
The Japanese sent the order, with a few parts packaged separately in
plastic. The accompanying letter said: "We don't know why you want 1.5 per
cent defective parts, but for your convenience, we've packed them separately."
-- Excerpted from an article in The (Toronto) Globe and Mail
- this post brought to you by the Automated Last Post Generator...