On Sat, 17 Sep 2011 15:53:04 +0800 Paul Wise <p...@debian.org> wrote:
> On Fri, Sep 16, 2011 at 4:39 AM, zferentz wrote: > > > My company considering to ship our (commercial) product on top of a > > Linux software appliance . One of the suggestions was to use Linux > > Debian as a core . > > My questions are pretty basic : > > Others have answered this, but I would like to point out that security > is often neglected in software appliances so I hope you: > > Allow your users to perform security updates on their instance. > > Notify your users when their instance needs a security update. > > Notify your users when their appliance no longer has security support. > > Allow your users to upgrade their instance to a newer version of > Debian that has security support. Just one little proviso on that: Plenty of devices which could use Debian and many that already do use Debian provide absolutely no connectivity outside the device and most of those are single-user machines. Some producers will offer upgrades of the software running on top of Debian and, where relevant, upgrade the Debian packages at that time, but this will be a return-to-base warranty / upgrade action based on marketing and service contracts and may involve replacing bits of hardware too. (i.e. their software + Debian is an integrated solution and updates to Debian would need extensive testing. Yes, Debian tries v.hard to prevent security fixes breaking previous behaviour but these devices may also need to be supported long after Debian has dropped those versions as oldstable. 7 years is not uncommon - and that's starting with Debian stable. Emdebian has had plenty of requests and queries about providing static installations which lack apt and dpkg binaries precisely because it is impossible to upgrade the installed software without replacing it entirely. The device will never see a network or external storage and the only upgrade method involves JTAG and RS232. Sometimes there is a read-only filesystem underneath too. We may think of "software appliances" as having WiFi or similar but it isn't necessarily the case. Even if the hardware supports it, the connectors may not be accessible without opening the case, at which point "warranty void", game over etc., you know the rest. Debian quite often gets onto devices which look nothing like a PC, server or phone. Fully integrated devices with no external connections at all (with possible exception of replaceable battery packs). Yes, the Debian software is free software - that doesn't mean that it's helpful to make the Debian packages upgradable by the user of specific devices, especially (as with the original query) when the Debian software is not actually visible to the user but supporting a heavily customised, proprietary, interface from power on to halt. It is always worth reminding people about security though, who knows what hardware upgrades someone will specify for version2 of such devices.... -- Neil Williams ============= http://www.linux.codehelp.co.uk/
pgpyiAKsVZNbC.pgp
Description: PGP signature
