Red Hat, Oracle to get Gov't Certification for Linux

Mark writes "As this news.com article states, 'Red Hat and Oracle plan to announce on Thursday that the companies have teamed to get Linux evaluated under the Common Criteria, a certification that could open doors for the broader use of open-source software by government agencies.' It looks like this will be an important step in getting Linux to be more widely adopted in governments around the world."

Germany

[intermodal]

It's good to know the US Government is catching up technologically with the Germans...again...

Frankly...

[$$$$$exyGal]

"Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems."

Thanks for being frank. This should be a wake-up call for all slashdot users.

--sex

Re:Frankly...

[mentin]

How would certification for EAL Level 2 would position Linux above Microsoft? Windows 2000 is already certified for EAL Level 4 (supposed to be more secure).

And where are all those articles that were popular on /. when NT was certified, basically telling us that this Common Criteria is total crap? Is it not a crap anymore?

Re:Frankly...

[jeff4747]

The NT crap comments arose because NT only got CC it's certification _without_ a network connection.

And as for the other point, wouldn't level 2 be a step towards level 4? Ya gotta start somewhere, and level 2 opens a lot of doors.

RHAS again?

[lspd]

The companies plan to first push Red Hat Linux Advanced Server for a modest level of certification: Evaluation Assurance Level (EAL) 2.

Sheesh... How much pushing does RHAS need? Show me a TCO study where RHAS at $800/server/year beats any free Linux distro. Simply plugging in a $800/server/year cost into most of the TCO studies I've seen makes Windows look like a bargain.

Re:RHAS again?

RHAS is free...They don't provide an iso for you, but check their website, they do provide step-by-step instructions on how to "create" a RHAS installation for free.

But for those that want service and don't want the hastle of putting all the pieces together they also provide a nice package.

As far as windows a bargain, how much does quality node-balancing software cost (~$500), Quality Firewall (~$300), Advanced Server ($750), I could keep going but I think you get the picture. If you don't need HA then RHAS isn't a great deal, but then again if you do, MS doesn't have a competive product...say what you want about 2000&XP (big improvement over NT&9x), you can't call them HA.

BTBTBT

scooby

Re:RHAS again?

[Herkum01]

The companies plan to first push Red Hat Linux Advanced Server for a modest level of certification: Evaluation Assurance Level (EAL) 2.

Sheesh... How much pushing does RHAS need?

Sometimes that all a company look's at is certification levels. I have a friend that runs a software development company. They cannot get any big jobs because they lack a software process certification. It does not say that they are great programmer's or effective, it just says, "Hey we went through this process and this is the type of service that we provide."

It is is the same thing with certain types of software. If you don't have the correct certification, certain agencies and businesses cannot even consider doing business with you. They would not go through these hoops if they don't not believe that they would get somewhere

Re:RHAS again?

Nothing...except...I sort of fibbed...99% of RHAS is free, a tiny bit of the code is redhat's but not open source. But there are other free options to do these tasks (just not so pretty ones).

BUT if you read redhat's site, they explicitly say that you can make your own ANYTHING based off their open source code (+ others), are sell it as their own. The only caveat is that you CAN'T use the RH logo or name to endorse your product...it HAS to be in your name, and show no direct affiliation (the most you can say is that it is based on RH, like Mandrake does/did).

So if you follow their directions, build your own ISO, you could sell it as yourDistroLinux, the only problem is support, etc. Most companies that really have HA requirements also have the money (and need) for large full service support contracts. And if they are going to pay for it, they might as well pay RedHat (the industry standard).

I think is would be a great OSS project, and in fact there are several like it out there. http://linux-ha.org/ (I've counted 8 "developer groups" that looked like they already had a decent HA solution).

BTBTBT

snoopy

Re:RHAS again?

[nathanh]

Simply plugging in a $800/server/year cost into most of the TCO studies I've seen makes Windows look like a bargain.

Huh?

1. RHAS is free. The added professional services cost $800 but the whole CD is GPL. Read this (http://www.redhat.com/software/whichlinux.html):

Advanced Server is sold through a one-year subscription and it does have a licensing agreement. But before you mention the "p"-word ("proprietary"), understand that the code is open and protected by the GPL license. It's not proprietary. We're licensing the services, not the software. The source code files can be downloaded by anyone, and you still have the right to use the software after the license and services expire.

2. A Windows Cluster with SiteServer and SQL Server can cost upwards of $20,000. I don't see how this is a "bargain" compared to $800.

Re:RHAS again?

[Afrosheen]

I worked for an ISO9002 certified company before (York International) and my boss told me the crap behind the cert with ISO also. Basically companies won't do business with you if you're in manufacturing and don't have your ISO cert. The only thing ISO really requires is that your processes are fully documented in specific ways. You could build a product that doesn't fuckin' work and still be ISO certified as long as the docs are there.

Is Larry making a stand?

[mj01nir]

"We are going to use Unix and Linux as the evaluation platforms for our products in the future, and not Windows, because the customer demand for Windows is not there," she said. "Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems." ... said Mary-Ann Davidson, chief security officer for Oracle.

Wow. I knew Larry hated Bill and MS, but I sure wouldn't have expected this! Or is he just conceding the Windows server database market to Bill and trying to grow the Linux market on the low end + the UNIX market at the higher end?

Hmm...

Re:Is Larry making a stand?

[speeding_cat]

"We are going to use Unix and Linux as the evaluation platforms for our products in the future, and not Windows, because the customer demand for Windows is not there," she said. "Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems." ... said Mary-Ann Davidson, chief security officer for Oracle.

Wow. I knew Larry hated Bill and MS, but I sure wouldn't have expected this! Or is he just conceding the Windows server database market to Bill and trying to grow the Linux market on the low end + the UNIX market at the higher end?

Smart companies try to transform complementary products of other companies into commodity items. OS for Oracle nicely fits into this picture. Since they need it anyway, might as well be inexpensive Linux. Also, one more Linux system - one less Windows system that could run MSSQL instead of Oracle. The choice to support Linux is really no brainer for Larry the Nut.

Linux port should also be relatively cheap for Oracle, since it is very much like standard Unix and Oracle tends to use basic OS facilities anyway.

Re:Is Larry making a stand?

[earlytime]

FYI,

larry & co have been pushing oracle on linux for years. after all, if you run oracle on a stable and cheap OS, there's more licensing and support $$$ left over for larry.

larry's support for linux is not a big deal for sun (at least it wasn't when he started), since 99.999% of linux runs on x86, and (almost)nobody uses solaris on x86.

larry has always hated bill. he's a simple man. he wants, power money and women(in that order), and bill is after the first two. linus is a hippie who's already married, so there's more for larry with linux.

Re:Is Larry making a stand?

[josh+crawley]

Why do I keep thinking "Leisure Suit Larry" whenever you mention Larry in this post? ;-P

Re:Is Larry making a stand?

[Malcontent]

"Or is he just conceding the Windows server database market to Bill and trying to grow the Linux market on the low end + the UNIX market at the higher end?"

He seems to be saying that there is no windows database server market. I think that probably is pretty correct as far as Oracle is concerned. I don't know too many people who would run oracle on windows espcially for large operations where oracle really shines. If you need oracle and can pay for it there is ZERO reason to put it on windows.

Now we just need an OS DB

[marko123]

And the world can see what the DoD are using. I'd love to submit patches to the armed forces.

Support coming from the right areas..

[anto]

It is good to see that the requests for the certifications arn't coming from a vendor or the developers but the end users who will be deploying the product. You really can't get a better advertisment than that.
Having Oracle on side will help as well, as the article mentions they have tones of experience getting their product (and thus the OS) certified. It is massivly in Oracle's interest to do so - less $'s on the OS means the purchaser can spend more on the hardware / DB.

Hypocritical?

[m00nun1t]

Isn't this the same thing we criticised when Microsoft was certified and said that if they made it through, it must be hopelessly inadequate certification process? Now the Linux is involved, it's suddenly a good thing?

A bit of MS bashing is fine, but this is taking it a bit far for me.

Re:Hypocritical?

[Mandi+Walls]

Ah, here we go again.

The Common Criteria is of the fashion:

"I have this product. I am going to tell you what it does in a security-related context. You can take this checklist, test my product, and certify that it does in fact do these things."

There is no security implied by the certification. It is a recommendation from the vendor of what the product is best used for when the customer is shopping for products to do certain security-related tasks. The vendor makes the checklist, a third party says "yay" or "nay", the customer says "i need a product that does X, Y, and Z. Windows does X, HP-UX does X and Y, and this one all three, plus it will help my sex life". Or something similar, anyway.

These things can be as simple as "userA cannot access userB's files" to "enforces complex passwords" to "has the biggest crazy ass firewall known to man". Well, maybe not that last one...

Now y'all can go back to shootin' your mouths off.

--mandi

Re:Hypocritical?

[zmooc]

The quality of the test doesn't matter at all - if MS passed, it could have been better. But that doesn't make it any less interesting to have Linux pass the test to show those who really (have to) use such certifications in decision-making that Linux is an option.

People that have to make such decisions are also a lot safer by choosing certified products; if something goes terribly wrong, you can always say that the product you choose was has some "official" certification upon which you based your decision and you're pretty safe. If it goes wrong and you don't have any such paperwork to fall back on, you're definately in a much weaker position explaining why you didn't choose the "safer" product to someone that doesn't know the difference between product A and product B and only sees "product A is certified, product B isn't". It's just that maybe you and I know that Linux is often a better choice but an incredible lot of other people don't.

Recession can be Good Thing

[Herkum01]

Sometimes it takes something that has a drastic economic impact to for people to seriously look at alternatives. Linux is gather momentum at just the right time, I believe. Everyone has financial problems, and is looking for cheaper alternatives. Linux packages are hitting that point which say "We're professional software." These sort of certifications which add reinforce to that reputation.

Linux has a bright future ahead.

Not quite...

[LordZardoz]

They are working together to convince a potential customer that their collective product is worth buying.

Getting the US Government to start buying Linux based solutions gives them more potential customers. I would guess that is a given that if it is certified for government use at the federal level, that it becomes a legitimate product for the state governments as well.

Besides, how is this different from say, IBM and Sun working together to promote Java?

END COMMUNICATION

Re:dupe?

[MrByte420]

The story from the other day was that the DoD had certified Red Hat for their purposes. This is Red Hat and Oracle attempting to gain a more general federal certification which would allow many agencies to consider linux for deployment. Federal law currently requires many agencies to only use "certified" software and operating systems.

This is not a Dupe!

[MrByte420]

This is not a dupe. The story from yesterday is about how the DoD has certified RedHat server as a common operating environment. This story talks about how IBM and Oracle are attempting to get Linux certified on a wider federal level so that agencies can be permitted to use it. They are two different certifications and two different issues and hence two different stories.

I'm always amazed by the number of clarivoyant slashdot users we have around here who don't need to read a story before posting...

Re:Who posts the most dupes?

[idontgno]

Except that in this case, it ain't a dupe.

Yesterday's article was about RH 8 AS getting DISA (Defense Information Systems Agency) DII (Defense Information Infrastructure) COE (Common Operating Environment) certification. Todays' certification article-o-the-day is about RH 8 AS getting Common Criteria EAL (Evaluation Assurance Level) 2.

Yeah, to the uninformed, it looks the same. But (A) DII COE is specifically a US DoD certification, whereas CC EAL is an international certification (administered in the US by NIST--National Institute of Standards and Technology); and (B) The article about RH's EAL certification also extensively yatters on about Oracle 9i, whereas the RH COE article doesn't.

So in conclusion, this is an erroneous dupe sighting. Nothing to see here, move along.

Encouraging step.

[dwheeler]

I take this as an encouraging step, especially since they note that the final goal is to certify both Oracle and the underlying GNU/Linux system at EAL 4. This sort of thing makes it much easier to deploy GNU/Linux widely in governments; it will be much easier for governments to base operating system acquisition decisions based on factors like functionality, cost, flexibility, and lock-in.

The article is very short on details, though. Starting small (EAL 2) is probably a good idea - especially since I know of no open source software / Free Software that's gone through a full, normal Common Criteria evaluation (so it would be a first test case). EAL 4 only measures the evaluation effort - it doesn't specify what security functions will be evaluated (nor what threats, assumptions, organizational security policies, configuration, etc. will be used). Hopefully Oracle and Red Hat will include security functions based on a widely-accepted "Protection Profile" (a document that specifies what the users want, including the threats to be countered and the security functions that need to be provided). Currently, the U.S. DoD strongly encourages only purchasing products that have been evaluated to meet not just an EAL level, but meet a "government-approved" PP.

Evaluations are specific to a particular configuration, so this would mean that those who need the evaluated version would need to get the Red Hat distribution named here - not the inexpensive version used by many. That's a side-effect worth noting.

Government...been there, done that

[frozencesium]

um, the NSA has already modified linux (the kernel) so that it will meet their standards. redhat is named as a tested distro...see this for details. The biggest problem is that the US government seems to think that they must rely on M$ software (in the unclassified environment at least) for things like exchange and ease of use for the "typical" user.

this is simple posturing at it's finest. of course...the government's high performance systems (read clusters) aren't running windows anyway. this won't change anything.

-frozen

Re:dupe? No. This is different.

[The_Dougster]

This seems to be another type of cert.

This is a good thing as the US DoD uses ADA95 for most everything AFAIK and the GNAT compiler works just dandy with Linux. This is what DoD needs, an inexpensive, yet totally robust system which they can put unleash the military programmers on.

A good example is BRL-Cad which is available for free download by US Citizens. This is a nice OpenGL capable solid modeler, somewhat clunky, but probably better than any other free CAD program available for Linux right now.

I'm a veteran of the US Military, and I think that Linux is a great choice for them, since they have the capability to provide cheap, effective, and efficient training about their computer systems to all the members of the armed forces. The US Military could easily train several million service personnel to be effective Linux programmers in a quite short period of time.

And of course, as a taxpaying citizen, I want my armed forces buying the best weaponry, not lining some 2-bit computer software vendor's pockets, especially when those vendors undermine the rights of the citizens by channeling that money back into lobbying for laws like the DMCA.

This is where RedHat shines. I use Debian myself, but Debian is too chaotic to apply for these certifications; however, RedHat could make a killing by supplying the US Government their software, and since Linux is Linux is Linux, this gives my government the state of the art software: it is secure, it is robust, it is inexpensive, and it is the best development environment in the world!