Slashdot Mirror
Red Hat Advanced Server Gets DoD COE Certification
DaveAtFraud writes "CNET is reporting that Red Hat Advanced server has been certified as a 'Common Operating Environment' (COE) when running on an IBM server by the U.S. Department of Defense. Red Hat Advanced Server is the first version of Linux to receive this certification. The certification clears the way for broader use of Linux in governement computer systems. Its interesting to note that the certification effort was made for the more proprietary (and costlier) Red Hat Advanced Server and not the basic Red Hat distribution." This despite the best efforts of certain lobbyists.
Why is this even worth noting? Certification efforts aren't especially cheap. If you're going to expend time and resources getting a version of your product certified, why not put the effort into the version that is likeliest to generate enough revenue as a result of the certification to pay for the effort.
After all, while RedHat is in relatively good financial condition, it's not like they have around $40 billion in the bank (unlike some operating system companies). Certifying Advanced Server is a good use of limited resources.
That said, any government security certification is a Good Thing in the commercial marketplace, too - it helps when the engineers need to make a positive case to their PHB's, and gives one more "checklist item" that can get marked in their favor when comparing RH to other vendors.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
I use it on a box to run apps that I developed that our M$ monkeys haven't matched(or can't) match. Mainly a lot of situations where one line of code does what would take several more in M$ (Scheduler vs. cron)
In our case it comes down to services. I work for the Commanding General and all he wants is "services not platforms".
I think maybe that has helped to bring in open source in our little corner of the military more than anything. IM talks about how they are M$ certified blah blah and I just bring out a new app coded in Perl that the green suiters can't live without.
Or better yet create one and let it run on one of my own outside servers and then demo it to them with a "Oh by the way, we need Linux to do this".
It's like heroin, get 'em hooked. They gotta have it. Superior services, not platforms.
As far as it being the more expensive version of RH that's certified, have you seen RH's stock price? You're still saving the military a lot more in the long run by getting the more expensive version.
Read the RH press release here.
I want to drag this out as long as possible. Bring me my protractor.
... isn't that the same certification than the one we scoffed at when Windows 2000 got it?
I can find only one relevant page on DISA that pertains to Linux/COE. This page has a link to a draft of COE Compliance Critera for Linux. The information on this page hasn't changed in several months, AFAICT.
So, what's new here? Can anyone point me to a place on DISA that substantiates the claims made by the news.com article? Where is the "real", final COE Compiance Critera for Linux?
In the course of every project, it will become necessary to shoot the scientists and begin production.
Here's a better link to story, sans linkspam:
http://news.com.com/2102-1001-984202.html
COE? Here's the link to their homepage:
http://diicoe.disa.mil/coe/
Admins! Get your fucking heads out of your asses and check to see if something is linkspam before posting it. This isn't the first time. Someone is making money from the click through.
Fuck them.
RH Advanced Server has generated some ill-will in our company when we realized the only way to "have a peek" was to shell out 800 buxors. We did that, but the venom dented some people's enthusiasm.
.iso image, under a non-commercial license of some sort? I mean, shit, even Solaris 9 is available for 20 bux as a non-commercial, and 100 bux for commercial license.
Is there a way to get the
Sigged!
And impressive considering the other certified OSes (Solaris, AIX, HPUX, and NT). I first used the Advanced Server a couple of months ago while evaluating some Itanium2s, and I was plesantly suprised. I really like RH's decision to make the Advanced Server their "Enterprise" class distro with about an 18 month release cycle. Makes my job easier (TM).
I never thought I would say this, but I've gotten accustomed to using RH. I was a die hard Debian fan, and in philosophy still am. But when it comes to 3rd party support, and announcements like this, I have to say that RH is the distro right now, and probably will be for some time to come (at least in the US).
For all of the advancements that RH has done for Linux, and in spite of itself, including RPM. I would like for them to get a better package system. Yes, I know theres the apt-rpm or whatever its called, but I'm talking something that already comes with the distro and works on all architectures supported by RH. Someday...
Anyhow, all these distro's really have in common is the kernel code which makes them linux. The rest of the software (FTP, wm's, editors) bundled is up to the bundler. It is these choices that can make a distro more secure from another. EX: ssh v. telnet, std ftpd v. vsftpd, vi v. emacs (Sorry, I just had to ;-}) et al; The DOD is going to certify the whole bundle and not just individual pieces. Basically, they don't trust their admins (contractors mostly) to pick the right pieces on their own, so they will find a good bundle and certify that with special instructions.
Who are you? The new #2 Who is #1? You are #617565. I am not a number, I am a free man! Muhahaha.
Thanks in advance.
All the source is right there on Red Hat's FTP servers. Download it and build it for yourself.
Disclaimer - I work for the DoD but i don't speak for them.
:)
"Segments" are basically customized software installs for COE. This includes Government produced software (Government Off the Shelf, GOTS) and commercial software (Commercial Off the Shelf, COTS). For instance there is a "segment" that installs Netscape.
These segment installs basically install the software such that it conforms to the COE environment. For example, applications must live in a certain path, follow a certain naming scheme, use certain environment variables to find things, only put user data in a certain place, etc, etc. Think "rpms" or FreeBSD packages - segments are just big tar balls with a standardized format and install scripts
The segments are available via DISA to those programs that are developing COE software - you have to show proof of need and sponsorship (i.e. somebody has to pay somewhere along the way for you to have access). Basically if you are developing applications for the DoD, you can get them - we have to get them through a certain chain of command. I think vendors can get access, but you have to talk to the DISA folks about how that works.
/* ICBM Coordinates 32.78N, 79.93W */
There was a LOT of bureaucratic inertia standing in the way of this effort inside the DoD. In the office this little initiative started in within ESC, the push for this cost two program managers and one engineer their positions, with extra effort made to derail their careers. Another person had to keep his head down and toe the line for a long time. The replacement for the second program manager was frusterated and constrained and a little scared, having entered the arena of combat by stepping over the corpses of the previous two (figuratively).
The efforts by DISA and Red Hat were started because the little program that those people worked on provided the customer for the product. Sure, there was a lot of "anecdotal" demand for Linux, but this was the first formal acquisition program that was committed to it. The guinea pig, so to speak.
Let's give proper respect to RH (those involved know who he is) at Red Hat, who took that first call and pitched it to his management, even though it looked like all the risk was on Red Hat.
This is a major achievement for linux, seeing that the only UNIX based system that is DII-COE compliant is solaris. however, anyone who has ever had to read the DII-COE compliance documentation knows that it is ambiguous and very hard to follow. it's easy enough to make any os installation noncompliant by adding in non-DII-COE approved software, or by accidently opening up a port or two on the system.
Me email iz skyewalkerluke at microsoft's free email service.
In a free market economy the consumer has the option of making choices based on any number of factors including price, quality, speed/efficiency, convenience, and just plain old personal taste. However, in any system that shuts out all but the most deep pocketed (and well connected personally) companies then you had better be willing to pay more for less. Furthermore if the weights of the value of a product, service or the company that renders it has moved from the above factors (price, quality, etc) to that of the prettiest proposals, the slick talkingest (reverting to my Yosemite Sam mode) company personnel and the prettiness of words and documents presented then you will inevitably end up with less quality. Competition has then moved completely to the realm of draft picks for the cheerleader squad. It doesn't matter if they do nothing but look pretty and say stupid repetitive cheers... hey! they look pretty.
Bullshit artistry is _THE_ factor in government contracting, as a track record of proven quality does not factor in. Now to be fair, there is the SEI system in place (Systems Engineering and Integration) which mostly inherits from the ISO 9001 system. With five levels (1 - 5, no zero... 1 is granted to anyone whether they can find their ass with either hand or not) you have a criteria of process quality by which you can judge an organization. However, with all the money and obvious effort that went into creating and maintaining this system the Achilles heel is no different than in any other of the "best laid systems and plans" to date. That my friend is the factor of non-compliance to the very processes that define who is granted what level. In other words, they don't use it like it was intended thus rendering it as just another acronym. The ironic thing (but typical in entrenched bureaucracy) is that even though pretty much anyone will admit (if you ask them lightly in the break room over coffee) that the system is rather broken most of those will still puff up with pride (if contractor) if they are a talking head of an organization with higher than SEI Level 2 or will speak with awe and wonder (if government) of an organization with SEI Level 2 or higher.
What I fail to understand is why some will defend this bastardization on the grounds that those organizations with an undeserved SEI level are "Working Towards it." Well, that is good... really, however that is illogical when you look at the fact that the SEI system is not a projection but a grant of current operational status. I somehow doubt that there would be much validity in being granted a good bill of health after being shot 10 times if it was based on the fact that the surgical staff would "Soon fix me up good." No, instead I should be labeled as "In Critical Condition" and any other status be viewed as such. (Hmmm, is THAT what STAT comes from... meaning right NOW? I sure don't know) Back to IT work, if I was the customer then I would not care one damn bit of a system in place that is not consistently applied. The minute it becomes acceptable practice to arbitrarily award the SEI Levels is the same instance that such levels loose their meaning.
Now some might say (who lack working neurons) that this is exactly what happens with capitalist Evil Corporations (TM) yet in reality we see that it is the government itself that creates this system. If the government would place individuals in decision making roles that had both a sense of ethics as well as refined professionalism then you would find that requirements would soon show a dramatic shift towards the quality of the products and services rendered. Networked people are important, to that there is no question. Yet a professional organization will correctly view those connected personnel as one of the many factors involved in doing business. ("Professional" defined here not just as "they get paid to do X" but referring the the ethical and motivational set of standards and practices they employ) Some actually believe that without business developers sliming their way through the system, charming the customer and confusing them when they question bad quality, that there would be no business. Perhaps in some cases there would be less, but there have been entirely too many cases in history (large and small) that show that if there is a need on one end and a supplier on the other than things can work out just fine. The middle man is nothing more than a facilitator of this process... a catylist (sp) but since they themselves do not do any real work they are expendable in reality. Before them business happened at perhaps a slower rate. Without them business adapts. Without those providing the actual product and service than there is nothing to be made of the best of deals. Take out the bullshit artists in the government and soon you will find that their contractual counterparts will begin to vanish as well.
On a different but very much related note: Has anyone ever done a study of the percentage of commercials split up by radio, television and print (including the net) that actually advertise the uniqueness of the product, its advantages over competitors and why you should buy it? Don't get me wrong, I LOVE those beer commercials usually. However when so many commercials have become little sitcoms or tools of the "arteest" then I really fail to see how I as a consumer am supposed to do anything but ignore them and focus on doing research (to include ratings). I rarely see any commercial that is useful however that could just be where I live.
I seek not only to follow in the footsteps of the men of old, I seek the things they sought.
A more sane way to manage source packages on production boxes is to have a machine similar to the production boxes but with the developer toolchain installed.
The production boxes will still use debs or rpms but the compilation boxes can easily use something like checkinstall to make packages. This won't work in a potpurri environment but it would be fine if there's lots of identical machines. You mentioned that you wanted only particular software on your machines. With source compilation, you can even specify that the software only have certain options compiled in.
Since the dev toolchains are confined to a few boxes, maintaining those shouldn't be onerous either.
As far as security goes, I doubt the government will worry much about the bundled software; they generally disable everything they're not interested in and install their own segments for the functionality they need. While that does mean that the production systems probably won't have my favorite applications (because they haven't been ported to DII COE segments), at least my development systems can have what I want and still closely match the production systems. Heck, I could even develop at home.
That said, getting *any* version of Linux certified is great for me. I expect most of the Solaris segments will run with very little modification, so my development environment can very closely match my production environment. An the performance benefits I get from running on x86 hardware -- not to mention cost benefits -- will be phenomenal. (Given the recent revelations concerning Java and Solaris, running under a different OS is welcome as well, since a large part of our software is affected.) I might even get to use bash! And vim! (And emacs, for the heathens. Or your editor of choice.) And gcc!
I expect Linux will win its place in the DII COE hierarchy, and sooner rather than later. In fact, at least one very important DII COE segment is already adding Linux support. My job is about to get a whole lot easier.
For geek dads: Contraction Timer
I haven't seen a COE Linux environment, but based on my experience with COE Solaris, I can tell you that the answer is a bit more complicated.
Starting from a bare system, you first install the COTS (Common Off The Shelf) OS (RHAS, in this case). This will likely be a "custom" install since it will likely have some strange partition requirements.
On top of this, you would then install the COE "kernel". This is a core set of COE services, scripts, utilities, etc. Part of this process is the creation of several user accounts (sysadmin, etc) as well as a general lockdown of the box (no root logins allowed, lots of permission changes, etc.) This step will also likely involve installation of package updates to close various security holes.
From there, one would install the various "segments" (COE name for packages) needed to set the box up for a specific usage.
Personally, I'm curious to see if the COE kernel will load on top of a regular RH 8.0. I can see having RHAS for target systems, but it would be nice to be able to use the regular version as a development platform.
If the Green Berets use Redhat as part of a war (borg like) body suit... will they still be the Green Beret? Or the Red Hats?
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
IANAL, so take your own read of the EULA:
http://www.redhat.com/licenses/rhlas_us.html
It looks like each copy of RHAS installs with proprietary client to the RedHat network. This client is not GPL. It is "RedHat Intellectual Property". That's apparently what's licensed.
The GPL requires that we make GPL and GPL derivative source code available to recipients of the binaries. We do that, AND post the source on ftp for anyone to use, which we don't have to do for this or any other of our products which are posted on ftp. We feel we should adhere to the spirit of the GPL as much as to the letter.
,services, RHN, and in some cases ISV/IHV support.
AS has a stack of support and services that require a fee for use, reality is that no one will stop you from building your own or installing on multiple machines. But you won't get full support,
Only part of the value of AS lay in the bits.
How do these things relate to Linux? No one's arguing that it isn't a good development environment, but perl runs in Win32 fairly easily.
Have you tried to use perl on windows?
It just isnt the same. Perl proggies typically make heavy use of syscalls such as "fork" and "pipe".
Performance of these under windows is atrocious, not to mention that the whole windows filesystem/exec is shockingly low performance.
(Its not designed to be used in the way perl programs typically use it)
perl is seemingly perfect for linux, with its low forking overhead (comparable to creating a thread or lwp on other OSen) and its I/O subsytem performance.
Programming, even in high level languages, is a totally different ballgame under windows, if you want performance. You have to do it differently.