2

In my company we are dealing with an interesting decision: which Operating System should we choose as the default one? This does not mean that every installation will be based on the chosen Operating System, but using a different one will probably have to be justified

Features and other comparisons aside (I indeed read this post but it didnt help much), the main discussion is around overall security and how the developers of each one of the two Operating Systems deals with it.

This is as far as I know:

  • Ubuntu has LTS for 5 years and has actual Canonical employees working on compability and security updates.
  • CentOS is fully managed by the community, and security updates comes mainly from the Red Hat upstream.

And some considerations:

  • CentOS is forever in catch-up mode as security updates comes from RedHat. This alone creates a time gap
  • This post written on Feb/2011 got me worried, but I dont know if today (2 years later) the reality is the same. Quoting some of the article:

Normally, CentOS follows along with Red Hat security updates, releasing its versions as quickly as it can after the RHEL update is released. But 5.6 (or any "point" release of RHEL) comes with a whole slew of updated packages, any of which might have a security update—or be a dependency of a package updated for security reasons. Since there are no CentOS 5.6 packages (yet), these security updates fall into a crack in the CentOS development process. CentOS can either backport the fixes into the 5.5 package, or release an updated 5.6 package along with all of its dependencies, some of which may not have passed the QA process yet.

Except for those updates that Red Hat has marked as "critical", CentOS has chosen to do neither of the above, according to lead developer Karanbir Singh. That may leave its users vulnerable to a number of potentially exploitable security holes. In email, Singh said that the CentOS team is looking at Red Hat's security updates to fix those that are deemed "remotely-exploitable", but that doesn't seem to jibe with what is getting released for CentOS 5. Since the release of RHEL 5.6, there have been no CentOS 5 security updates.

Looks like that going with CentOS implies that at some point we (maybe) will need to buy a RHEL license

My natural choice would be going with Ubuntu over CentOS, but all I got on Ubuntu is the LTS argument and I dont know how much the LTS actually works. More opinions on that would be nice. Also, more opinions on the CentOS security nowadays would be nice too.

Also, doing some basic google search is quite common to see more Ubuntu results over CentOS, but we do know that ubuntu has a larger target audience because of the Desktop support, and this alone generates a lot of web content

So, which one do you think has a better development approach/capability for handling security updates?

Community
  • 1
Bruno Polaco
  • 345
  • 2
  • 9
  • 1
    Hmm, I just looked through a few of the CentOS Announce emails I have and typically they get package updates out within a few hours of RH releasing them. The worst I can see is less than 2 days. Point releases are typically quite quick too and if you really need to be bleeding edge they offer the CR repo within a couple of days of RH releasing it. – user9517 Mar 06 '13 at 14:26
  • 1
    @Iain: There was quite a long period of time where there were internal problems resulting in long delays. It was during that period that this very similar question was asked on [security.se]: http://security.stackexchange.com/q/3472/618 – Scott Pack Mar 06 '13 at 14:38
  • 1
    If you standardize on a RHEL derivative, you have the option of paying for _actual_ RHEL for support and updates for systems where you're really concerned about security. You get long-term support and employees working on providing updates, and as a bonus, those employees get a paycheck keep working on that providing updates. (Disclaimer: I work for Red Hat, but I would give this advice when I didn't, too.) – mattdm Mar 06 '13 at 14:56

1 Answers1

1

Either of these distributions will receive important security updates in a timely manner.

As for overall security I'll have to give the edge to RHEL/CentOS, if only for shipping with reasonably secure defaults for all common services, as well as SELinux enabled and enforcing out of the box. All of the Debian and Ubuntu boxes I've had to manage have needed work to secure their services. Even so, this is pretty minor.

For the most part, I think this is a non-issue, and your choice of distribution really needs to be made on factors other than "security".

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940