Slashdot Mirror
Red Hat, Oracle to get Gov't Certification for Linux
Mark writes "As this news.com article states, 'Red Hat and Oracle plan to announce on Thursday that the companies have teamed to get Linux evaluated under the Common Criteria, a certification that could open doors for the broader use of open-source software by government agencies.' It looks like this will be an important step in getting Linux to be more widely adopted in governments around the world."
"We are going to use Unix and Linux as the evaluation platforms for our products in the future, and not Windows, because the customer demand for Windows is not there," she said. "Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems." ... said Mary-Ann Davidson, chief security officer for Oracle.
Wow. I knew Larry hated Bill and MS, but I sure wouldn't have expected this! Or is he just conceding the Windows server database market to Bill and trying to grow the Linux market on the low end + the UNIX market at the higher end?
Hmm...
the no
Sometimes it takes something that has a drastic economic impact to for people to seriously look at alternatives. Linux is gather momentum at just the right time, I believe. Everyone has financial problems, and is looking for cheaper alternatives. Linux packages are hitting that point which say "We're professional software." These sort of certifications which add reinforce to that reputation.
Linux has a bright future ahead.
They are working together to convince a potential customer that their collective product is worth buying.
Getting the US Government to start buying Linux based solutions gives them more potential customers. I would guess that is a given that if it is certified for government use at the federal level, that it becomes a legitimate product for the state governments as well.
Besides, how is this different from say, IBM and Sun working together to promote Java?
END COMMUNICATION
The article is very short on details, though. Starting small (EAL 2) is probably a good idea - especially since I know of no open source software / Free Software that's gone through a full, normal Common Criteria evaluation (so it would be a first test case). EAL 4 only measures the evaluation effort - it doesn't specify what security functions will be evaluated (nor what threats, assumptions, organizational security policies, configuration, etc. will be used). Hopefully Oracle and Red Hat will include security functions based on a widely-accepted "Protection Profile" (a document that specifies what the users want, including the threats to be countered and the security functions that need to be provided). Currently, the U.S. DoD strongly encourages only purchasing products that have been evaluated to meet not just an EAL level, but meet a "government-approved" PP.
Evaluations are specific to a particular configuration, so this would mean that those who need the evaluated version would need to get the Red Hat distribution named here - not the inexpensive version used by many. That's a side-effect worth noting.
- David A. Wheeler (see my Secure Programming HOWTO)
The NT crap comments arose because NT only got CC it's certification _without_ a network connection.
And as for the other point, wouldn't level 2 be a step towards level 4? Ya gotta start somewhere, and level 2 opens a lot of doors.
Huh?
1. RHAS is free. The added professional services cost $800 but the whole CD is GPL. Read this (http://www.redhat.com/software/whichlinux.html):
2. A Windows Cluster with SiteServer and SQL Server can cost upwards of $20,000. I don't see how this is a "bargain" compared to $800.