12

How secure is the CentOS Linux distribution? I noticed there were times when there were no up-to-date patches for some version of CentOS (e.g., 5.6). I read this on some mailing list that I can't find now. I seem to recall the problem was that CentOS 6 was not stable yet, and the 5.6 users were left without updates, but I'm not sure. I apologize if my information is bad.

The lifespan of a version is very attractive: http://wiki.centos.org/Download

Are there any other Linux distros that has such a long lifespan, and have a good security track record?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
LanceBaynes
  • 6,149
  • 11
  • 60
  • 91
  • Centos has a long lifespan? I find the packages of centos to be much more bundled than debian (example, apache having more kitchen sink worth of modules installed) and lack of ready access packages. Introducing alternative package repositories and alien imports like rpmfusion doesn't seem like a worthy alternative to debian. Debian has a lot of testing in other distros for its packages in downstream. – hpavc May 02 '11 at 03:51

3 Answers3

13

The short answer is this: No, CentOS 5.6 is inherently no more or less secure than any other modern supported operating system. The long answer is a bit more complicated.

CentOS is the "Community" release of RedHat Enterprise Linux (RHEL). The differences between the two are fairly small so you can think of them as functionally equivalent, see the Wikipedia page for more information. The relationship between them is best described as a workflow; as RedHat releases packages, the CentOS maintainers full down the source rpms (ignoring any packages they need to for licensing reasons), rebrand and repackage for their own releases while maintaining version numbers. This history and workflow is important to your question.

RedHat's business is selling a stable product with support. Each major release of RedHat Linux is defined by a single kernel version, and often the versions of big packages such as Apache remain fairly stable. The RHEL team does, however, backport relevant security fixes. These backports are what allow the RHEL 5.x series to use kernel version 2.6.18 but still be patched. Due to the above relationship, this work also translates back to CentOS.

All that being said, given the work required to translate the packages one must expect a time lag between a RHEL release and a CentOS release. Normally the lag is fairly small, occasionally you will run into the situation that we had earlier this year when there was a couple of month lag between RHEL 5.6 and CentOS 5.6.

Going back to your question: Is CentOS a secure distribution? Is pinot grigio a good wine? How good is your admin? As I said in the beginning, "CentOS is inherently no more or less secure than any other modern, supported operating system." Any system can be hacked into. Just make sure you are following good practices and all of your other layers are in place.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
  • 1
    "there was a couple of month lag between RHEL 5.6 and CentOS 5.6." - Thank you. – LanceBaynes May 02 '11 at 04:20
  • @LanceBaynes Right, Jan 13 to Apr 8, in fact. Like I said in my answer, understanding the relationship between CentOS and RHEL is important to any CentOS user. – Scott Pack May 02 '11 at 11:36
  • 7
    so *is* pinot grigio a good wine? Not familiar with it... I guess how good your admin is depends on how much pinot grigio you have on hand... – AviD May 03 '11 at 09:13
5

Another free option for long lasting support are the Ubuntu Server LTS "Long Term Support" releases. They offer updates for free for 5 years for server functionality from the initial release. And in this case you get the updates right away, directly from the provider.

The CentOS page you link to generally shows support for each release over a 7-year life cycle. I'm puzzled as to why that is different than the 10-year life cycle, including extended life cycle, that Red Hat offers.

nealmcb
  • 20,544
  • 6
  • 69
  • 116
  • 1
    If I had to **guess** I would say that it's 2-fold. 1)the 7 year figure matches what a normal RHEL subscription gets you, B) resource management - the longer the CentOS devs support the product the more versions they'll have to keep updated. – Scott Pack May 03 '11 at 00:02
  • The old and out of date packages of CentOS only seem to further contribute to many of the problems that I have had with CentOS. Additionally, their lack of security releases earlier this year and the fact that the devs appear to be getting cranky with the possibility of a fork in the project, it makes one wonder about this platform for the long haul. – John May 20 '11 at 00:48
-1

This is real easy. Use Oracle Enterprise Linux. You don't have to pay support like Redhat if you don't want to and they will provide all software downloads for free, all fixes, etc. It is 100% Redhat compatible and at most they are 24 hours behind Redhat release. They are a professional crew doing this and not a bunch of CENTOS guys doing it at night and on weekends after their real job.

geek4guitar
  • 1