RPM already records checksums of every file it installs. It can also be run from a rescue CD pretty easily, and can use a known good backup of the RPM database to achieve similar functionality to tripwire.
Nothing against tripwire, if you didn't have RPM it'd be a fine tool, just checksumming everything twice for no reason sounds silly.
-keeping copies of/bin and/usr/bin on some ro media (either a CD or on a seperate server mounted ro), and checking them ageinst you're working copies regularly.
Back up/var/lib/rpm to some read-only media.
Boot of your rescue CD of choice, mount your hard disk, and run
And the Red Hat engineers asked the customer to run a diagnostic, and didn't hear anything further. Can any engineer fix a problem on a machine they don't have access to without someone to follow their instructions?
Out of every company in the world, what's the last you would expect to not provide a crytographically signed package?
RSA's own PAM modules for RHEL are distributed as an unsigned tarball. Along with the stuff you're telling me above, I don't really have much trust in RSA as a security company (and hence any trust in RSA at all).
The parent poster is right. Red Hat is turning into the next Microsoft! Not the current Microsoft, but an even worse 'next' Microsoft that makes secure Operating Systems with decent default firewalling, MAC, no execute on new files, etc. And gives away all its source code to get you hooked! And even allows people to watch the revision control system to continue your OSS dependency habit! With a public bug database to get people sucked in! And but other companies that make directory servers and clustered filesystems, but then uploads the source code for these once-proprietary things onto the intarweb!
REDHAT IS CLEARLY TEH MOST PROPIETERY COMPANY IN TEH UNIVORSE
Sure, but there's library base address randomization, NX and Execshield (which are used to mark areas of memeory nonexecutable - I presume this is what W^X does, but correct me if I'm wrong), etc turned on by default in RHEL. There's no MAC method in OpenBSD tho.
I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.
Kerberos. It's implementation in OpenSSH is a good example of how they specifically support enterprise admin. Kerberos is fairly poor security wise, using symmetric encryption and hence holding copies of user passwords on the server. It's poor security according to those with high standards, and inferior to PKI according to everybody. But OpenSSH supports it, because Kerberos is the most popular single sign on method used at corporates.
Interestingly, OpenSSH's market share is something like 76% of all SSH servers.
Latex isn't an XML varient, requiring specialist tools to do inaccurate transform to and from other formats, most of which are low quality, and many of which don't exist (doc2tex?).
There's no modern Latex editor that allows users to edit their document without having to unnecessarily know the underlying file format.
Latex has no benefits, as structured, transformable documents can be made in OASIS with much less headaches.
The traditional sense of Open Source is the Open Source Definition, much in the same way that the traditional sense of Free Software is software that provides the FSFs list of essential freedoms.
zlib meets all the points in the Open Source definition and can therefore be called Open Source. So can any public domain software.
Besides indexing stuff that has no user-space support yet, I'd like decent recovery tools, at least on par with Ext3, and no memory of Reiser getting into fist fights with such basic stuff as NFS. Does it even work with SELinux yet?
Iran, North Korea, Israel, and the US. You're all running round with nuclear weapons, three of you openly accept torture as a legitamite means of interrogation (and the US has gotten pretty close recently), and all of you execute children.
You need a central configuration repository to store the email accounts, their passwords, etc. OpenLDAP is perfect for this, and you can replicate it out for scalability.
You clearly know more about large mail systems than I do, but I couldn't resist reponding to this. OpenLDAP is actually pretty poor when it comes to replication: ACLs on directory entries aren't stored in the directory last time I checked, and aren't replicated at the same time as the data. This is, frankly, dumb.
Red Hat Directory Server (formerly AOL Directory Server, formerly iPlanet) is OSS, stores ACLs in the directory, supports multi master replication and has existing large scale setups at both AOL and the US DOD.
1. Transport Sender (sendmail). That's right! Good ol' plain sendmail scales.
From the sound of your mail, you have more experience in large mail systems than I do. So you may know something I don't here. But I'd like to point out that Postfix scales too (primary MTA at AOL) and so does Exim (primary MTA at Google). The latter two MTAs also don't install transports for rarely used protocols waiting around for someone to exploit them, and reduce the chance of misconfiguration by shipping a standard Unix human readable config file.
So one out of every 5000 humans in the universe will have an account on your mail infrastructure?
Even counting for dupes, I don't believe you'll ever serve a million email accounts. This isn't a technical thing. It's one of those 'gee there aren't enough people in the world for me to believe you' things.
But I might be wrong. People seem to estimate their customers and users in such a way that suggests a good chunk of everyone on the planet is using their stuff all the time. I just don't believe them until I've seen real evidence. Nothing personal.
The improvements exist, sure, but still, the best monitor available right now can do 133 DPI, if I'm up to date. A hundred dollar printer can do 1200 DPI. So computer displays are indeed low resolution devices when compared to say, paper.
I saw an article about a topic. The article is about another topic that hijacked the word.
Yes, language is dictated by use. It doesn't mean that the people used to the orginal definition of a word don't have thr right to be annoyed when the word is used to describe something else.
If I'm a snob, your assumption that I don't have that right makes you a fascist. And portrays you in an unfavorable light.
Just about every UI engineer is aware that humans can read sans serif fonts faster than serif fonts for low resolution (read: computer screen) content.
Slashdot Mirror
RPM already records checksums of every file it installs. It can also be run from a rescue CD pretty easily, and can use a known good backup of the RPM database to achieve similar functionality to tripwire.
Nothing against tripwire, if you didn't have RPM it'd be a fine tool, just checksumming everything twice for no reason sounds silly.
-keeping copies of /bin and /usr/bin on some ro media (either a CD or on a seperate server mounted ro), and checking them ageinst you're working copies regularly.
/var/lib/rpm to some read-only media.
/path/to/dbbackup --root /path/to/hd -V kernel coreutils net-tools procps
Back up
Boot of your rescue CD of choice, mount your hard disk, and run
rpm --dbpath
Modifying that package list as appriate for your Linux distro.
This is assuming your Linux distro actually uses RPM as its native format, rather than just installing RPM packages as the LSB requires.
And the Red Hat engineers asked the customer to run a diagnostic, and didn't hear anything further. Can any engineer fix a problem on a machine they don't have access to without someone to follow their instructions?
Out of every company in the world, what's the last you would expect to not provide a crytographically signed package?
RSA's own PAM modules for RHEL are distributed as an unsigned tarball. Along with the stuff you're telling me above, I don't really have much trust in RSA as a security company (and hence any trust in RSA at all).
The parent poster is right. Red Hat is turning into the next Microsoft! Not the current Microsoft, but an even worse 'next' Microsoft that makes secure Operating Systems with decent default firewalling, MAC, no execute on new files, etc. And gives away all its source code to get you hooked! And even allows people to watch the revision control system to continue your OSS dependency habit! With a public bug database to get people sucked in! And but other companies that make directory servers and clustered filesystems, but then uploads the source code for these once-proprietary things onto the intarweb!
REDHAT IS CLEARLY TEH MOST PROPIETERY COMPANY IN TEH UNIVORSE
Nobody says Red Hat Enterprise Linux 5 (presumably that's what you mean by RedHat Server 2007) is uncrackable. They just say it's more secure.
Asslobster.
AFAIK, OpenBSD has no Discretionary Access Control
:^)
Er, mandatory access control. Long night.
Sure, but there's library base address randomization, NX and Execshield (which are used to mark areas of memeory nonexecutable - I presume this is what W^X does, but correct me if I'm wrong), etc turned on by default in RHEL. There's no MAC method in OpenBSD tho.
I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.
Kerberos. It's implementation in OpenSSH is a good example of how they specifically support enterprise admin. Kerberos is fairly poor security wise, using symmetric encryption and hence holding copies of user passwords on the server. It's poor security according to those with high standards, and inferior to PKI according to everybody. But OpenSSH supports it, because Kerberos is the most popular single sign on method used at corporates.
Interestingly, OpenSSH's market share is something like 76% of all SSH servers.
Let's see pics of your figure of worship
Latex isn't an XML varient, requiring specialist tools to do inaccurate transform to and from other formats, most of which are low quality, and many of which don't exist (doc2tex?).
There's no modern Latex editor that allows users to edit their document without having to unnecessarily know the underlying file format.
Latex has no benefits, as structured, transformable documents can be made in OASIS with much less headaches.
It uses TaRdCaPs
You're right. I meant to say any public domain source code, not software.
The traditional sense of Open Source is the Open Source Definition, much in the same way that the traditional sense of Free Software is software that provides the FSFs list of essential freedoms.
zlib meets all the points in the Open Source definition and can therefore be called Open Source. So can any public domain software.
Besides indexing stuff that has no user-space support yet, I'd like decent recovery tools, at least on par with Ext3, and no memory of Reiser getting into fist fights with such basic stuff as NFS. Does it even work with SELinux yet?
Congratulations, you've sunk to their level.
Iran, North Korea, Israel, and the US. You're all running round with nuclear weapons, three of you openly accept torture as a legitamite means of interrogation (and the US has gotten pretty close recently), and all of you execute children.
You all disgust me.
AFAIK no mainstream vendor supplies kernels. I think you mean proprietary driver modules.
Do OSX and Windows have any OSS driver modules at all? How did moving to OSX solve your problem?
Did you miss the part about this being the U.S. Navy?
Er, no. I missed nothing, as the article does not mention who the system is for at all, you pompous git.
Your idea is good, but is it implemented anywhere?
You need a central configuration repository to store the email accounts, their passwords, etc. OpenLDAP is perfect for this, and you can replicate it out for scalability.
You clearly know more about large mail systems than I do, but I couldn't resist reponding to this. OpenLDAP is actually pretty poor when it comes to replication: ACLs on directory entries aren't stored in the directory last time I checked, and aren't replicated at the same time as the data. This is, frankly, dumb.
Red Hat Directory Server (formerly AOL Directory Server, formerly iPlanet) is OSS, stores ACLs in the directory, supports multi master replication and has existing large scale setups at both AOL and the US DOD.
Disclaimer: I work for Red Hat.
1. Transport Sender (sendmail). That's right! Good ol' plain sendmail scales.
From the sound of your mail, you have more experience in large mail systems than I do. So you may know something I don't here. But I'd like to point out that Postfix scales too (primary MTA at AOL) and so does Exim (primary MTA at Google). The latter two MTAs also don't install transports for rarely used protocols waiting around for someone to exploit them, and reduce the chance of misconfiguration by shipping a standard Unix human readable config file.
One million accounts, huh?
So one out of every 5000 humans in the universe will have an account on your mail infrastructure?
Even counting for dupes, I don't believe you'll ever serve a million email accounts. This isn't a technical thing. It's one of those 'gee there aren't enough people in the world for me to believe you' things.
But I might be wrong. People seem to estimate their customers and users in such a way that suggests a good chunk of everyone on the planet is using their stuff all the time. I just don't believe them until I've seen real evidence. Nothing personal.
The improvements exist, sure, but still, the best monitor available right now can do 133 DPI, if I'm up to date. A hundred dollar printer can do 1200 DPI. So computer displays are indeed low resolution devices when compared to say, paper.
I saw an article about a topic. The article is about another topic that hijacked the word.
Yes, language is dictated by use. It doesn't mean that the people used to the orginal definition of a word don't have thr right to be annoyed when the word is used to describe something else.
If I'm a snob, your assumption that I don't have that right makes you a fascist. And portrays you in an unfavorable light.
There's no other computer term called spam. There's no other computer term called easter eggs. There is another computer term called geocaching.
Obviously.
Just about every UI engineer is aware that humans can read sans serif fonts faster than serif fonts for low resolution (read: computer screen) content.