Sun-isms Debunked

Newman writes "We're all aware of the hole-ridden arguments that Sun executives Scott McNealy and Jonathan Schwartz use to attack Linux. This guy at NewsForge really grilled them at the Solaris launch party last Monday, and actually got some straight answers out of them. At the end of the article, both execs have some specific words for Slashdot readers."

He doesn't understand patents

[hayden]

There is a serious flaw in this reasoning; there is no legal basis for Kodak to sue end users over their use of the JRE or JDK.

Any decent software patent has four groups of claims that claim essentually the same thing. Method, system, media and the other one that I can never remember. Method protects using the same method as the claim, system protects using a system that implements the claim and media protects distributing the claim on a media (CD, DVD etc).

Using software that infringes a patent violates system and probably method claims. Unless you have a contract agreement with the software company that says they'll protect you against patent infringement lawsuits then you're screwed. And if you know the software you're using infringes a patent then you're screwed x3.

The reason you rarely see companies going after users is because they tend not to have as much money as the company making the software.

It's all about the hardware

[argoff]

Right now the only thing that differentiates Sun from the rest of their market place is their expensive high end hardware. They need to squeese as much out of it as possible till it caves into the x86 - 64 commodity CPU market. Then their ability to gain high profit margins will be gone, as well as their position to compete in the computer space. Part of that differentation is solaris, that's way they need to squeese as much out of it as they can even if Linux is the one taking over the server-space industry.

Trusted Solaris 8 / SELinux

[dido]

Other GNU/Linux distros may not have military grade security like Trusted Solaris 8, but Security Enhanced Linux (SELinux) was developed by the National Security Agency -- surely that's good enough for government work.

It's a bit more complicated than that. If you read the SELinux FAQ:

12. Is Security-enhanced Linux a Trusted Operating System?

No. The phrase "Trusted Operating System" generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. Security-enhanced Linux incorporates useful ideas from these systems but focuses upon mandatory access controls. It is expected that this work would be combined with other efforts (e.g., auditing and documentation) to construct a "trusted" system. The initial focus of Security-enhanced Linux development has been to create useful functionality that delivers tangible protection benefits in a wide range of real-world environments in order to demonstrate the technology.

The NSA itself says that it's NOT one, so on its own SELinux is not good enough for secure US government work, despite its being developed by the NSA.

Security, et al

[jd]

First, the Government takes this really warped view that everything has to be FIPS-approved and NSA-approved, even if the NSA wrote the bloody thing.

In consequence, Netscape's SSL is considered acceptable for Government use (and DES has only just had its permission revoked), but the DoD's own implementation of IPSec and the NSA's work on SELinux are not. Rijndael-128 is OK, but Rijndael-256 is not. Even though all the evidence so far is that both versions of Rijndael are perfectly good.

A version of SuSE Linux (with help and funding from IBM) has been certified by the NSA as secure under the "Common Criteria" at about the same sort of level as Windows NT. This was on a PC I believe. No other platform for Linux, and no other distribution of Linux, has been certified.

So, you CAN run that specific version of SuSE on the specific PC platform it was tested on on military unclassified or confidential networks. Because so few OS' have been certified (only a tiny number of Unix manufacturers have the money for the approval process, never mind the development!!!) it's common practice to run any "approved" OS on Secret and Top Secret networks, even though they're not supposed to.

(Having worked as a contractor for the DoD, I can tell you that it is also not uncommon for software companies to request and receive waivers exempting them from NSA security auditing. The main appeal of COTS solutions, such as Microsoft, is that it's a lot cheaper than most GOTS solutions and the quality is about the same.)

For real "military grade" security (the stuff the military would like, if they weren't spending all their money in strip clubs) you'd need to take one of the existing security patches and add the following:

• Mandatory Access Controls on packets and sockets
• Mandatory Access Controls on allocated memory (and either MAC or secure wiping on freed memory)
• Mandatory Access Controls on all files (SELinux does this, not all the others do)
• FIPS compliance on all hash and encryption algorithms
• If MOSIX (or some other clustering patch) is applied, MACs should migrate between nodes. Nodes should also have a security label, and it should be impossible to migrate unauthorized material between any two nodes, or authorized material to an unauthorized node.
• There's no real specification on handling network QoS algorithms, as far as I know, but the NSA would likely be happier if queues also had security labels. That way, there could be no attack which allowed a packet of lower clearance to run into a packet of higher clearance in such a way as to expose the higher clearance material to a lower clearance process.
• The kernel and the core packages would need to be fairly watertight against buffer overruns and other common coding bugs. It should also be fairly fail-safe, such that if such a bug did exist, it would be hard to use that to bypass the access control system.

All that would give Linux a clearance comparable to the old B2 or B1 levels, which would be more than adequate for most classified networks. Relative to the work already put into Linux, it's really not that much. If IBM and SGI wanted to pool resources to make a B2/B1 version of Linux, I see absolutely no reason why they couldn't.

Now comes the fun part! What if you were to do all the above, and then do a line-by-line full coding audit with formal validation? IBM has something like 10,000 Linux coders. There are 50,000,000 lines of code. Assuming you could do the audit at no more than 10 lines a day, it would take 100 days to audit the kernel to this degree. For a real bare-bones box, it would probably take about the same to do the user-space stuff.

What would this give you? Well, the ONLY COTS Operating System to be A1-certifiable. There simply aren't any other. Nobody makes software to the A1 standard. At least, not that

Comparing UML to N1 Grid Containers? Ridiculous..

[ikewillis]

GNU/Linux may not have Solaris containers (which allow applications to run in virtual instances of Solaris, isolated from the rest of the OS), but it does have Usermode Linux (UML) which provides similar functionality using a different technique.

UML has substantially low performance compared to N1 Grid Containers. If you're going to compare a server virtualization feature, compare to something like the Xen Virtual Machine, in this performance comparison, you can see the performance of UML is rather appalling, especially compared to Xen.

The performance of Solaris Grid Containers is more akin to Xen or FreeBSD jails. However, the advantage N1 Grid Containers have over Xen is that they are portable to every platform Solaris runs on (SPARC, IA32, AMD64) whereas Xen only emulates one platform (IA32). Also, other Solaris features to which there are currently no Linux counterparts such as the Fair Share Scheduler, which allows a N1 Grid Container to be bound to certain processors, and given a dedicated percentage (or share) of available processor resources. This provides an advantage over Xen and UML which can't even use multiple CPUs. It has an advantage over FreeBSD jails where monopolization of system resources by a single jail cannot be easily avoided.

While Linux may have counterparts to various Solaris features, in terms of maturity, feature set, and performance of these features Solaris has Linux trumped.

Solaris 10 zones were inspired by FreeBSD Jail's

[keepper]

http://www.sun.com/bigadmin/features/articles/sola ris_zones.html

It's interesting that FreeBSD influence is getting
recognition at SUN... Maybe now they will be persuaded
to support some of their products on FreeBSD.(aka Java, and yes, i know about the FreeBSD java group
and their agreement on the 1.3.X jdk with sun)

Re:What day of the week is it?

[upsidedown_duck]

I'm tired of the bullshit.

Bullshit? Sun's stock has steadily gone up over 60% since August, all in anticipation of Solaris 10, Niagara, fighting off losers like Kodak, etc. Sun is going through another one of its re-invention cycles, and will have massively-multi-threaded systems in the next two years with Solaris 10, complete with super-fast TCP/IP and through-and-through checksums on ZFS (among other things).

Re:Still can't see how Sun will survive

[darnok]

Yep, you're right on both counts. However...

Every Sun purchase I've seen has been ultimately driven by support and reliability/uptime. Sun recognised this, and focused on building hardware and software to address reliability/uptime in particular. What's changed is that, while Solaris has more features than Linux in some ways, those features are primarily related to uptime which isn't that big a deal any more.

Why not?
- for every useful feature that Sun adds in, someone in Linux-land will eventually see that feature as a good thing and work will be done to port that feature to Linux. The porting to Linux of an existing Sun feature can be done faster than Sun can think up and build new features, and as Linux pushes more and more into the enterprise, the focus will become more and more on replicating Sun's advantages in Linux. The numbers are simply against Sun managing to stay ahead
- to a very large extent, you can achieve uptime by scaling "wide" i.e. throwing more boxes at the problem. It's absolutely not a panacea to all uptime issues, but it's an approach that fits particularly well with Linux/Intel due to the low incremental cost of the hardware. Whatever "uptime smarts" Sun can add to their OS, I and many others can achieve the same results (in pure uptime terms) by bolting a bunch of new Intel boxes into a rack

Re:What day of the week is it?

[killjoe]

Read this article from motley fool. Everybody is wondering how sun is going to make money. Before you say "service" keep in mind the most expensive support plan from SUN is less then the least expensive support plan from RedHat. They can't possibly make up the difference from support if they are practically giving that away too.

So what's left to sell? Intel boxes? AMD64 Boxes? Sparc workstations?

Do you really see Sun sustaining itself with those products? I don't.

There is only one thing that sun has that could make it money and that's patents.

Re:What day of the week is it?

[nickco3]

Yeah, linux is so much easier to use than Solaris

Well once you've got around to installing the GNU tools onto Solaris, it's every bit as usuable as Linux.

Re:What day of the week is it?

[spurious+cowherd]

But it would be more interesting if you posted the correct comparison chart

Sun Microsystems is SUNW not SUN