Re: [cobalt-security] SUN don't care about security update ?

[Bruce Timberlake <bruce.timberlake@xxxxxxx>]

Paul Jacobs wrote:
> 
> I will believe it when I see it...., sun cobalt is starting to act just
> like Microsoft...
> Example, everything works better on the MS platform if you use just
> Microsoft products, now sun is saying only use our products and the box
> will run fine?, I was under the impression that most people in the
> Unix/Linux world are there because they can make any custom config they
> want..... but sun is saying they will not support custom config's???

I am not jumping into this discussion as "the official voice" of Sun
with regards to security updates, our short/long term strategies on
providing patches, etc.  I just feel that some sort of commentary from
within is appropriate here as the rumors and accusations are starting to
get a little out of control.  This is my only statement, and I will not
be replying to this thread after this one comment.

Sun Cobalt server appliances (Qube, RaQ) are just that -- appliances. 
They are purpose-built, pre-integrated combinations of hardware and
software which deliver a fixed set of services, and are designed to be
operated via the web interface.  We did not "lock down" the appliance
like many of our competitors do, so that the end users _are_ able to get
shell access, and _are_ able to make their own modifications if they
desire.  But it is unreasonable to expect a manufacturer to support any
random changes made by end users. Will GE support you if you decide to
turn up the wattage in your microwave, or to use another list member's
favorite terminology, would Kenmore still support you if you tweaked
your washing machine motor to add a "superfast" spin cycle?  No.
Manufacturers support purpose-built systems "as shipped."  While
modifications are not prevented, they are not necessarily encouraged,
and definitely not supported. 

Sun Cobalt is not (yet) shipping "general purpose" Linux servers or OS
distributions, so we do not have an obligation to provide "general
purpose" support.  Our support model _will_ be evolving, though, as our
product offerings evolve.  Once we are shipping our own Linux
distribution, there will be general Linux support available via some
to-be-determined mechanism.  But only for the general purpose products. 
Qube and RaQ appliance support will most likely continue to be limited
to the "as shipped" configurations. Again, I am not the official voice
of Sun for support models, etc. I'm just trying to share the little
insight I have to the processes as they exist now or are being planned
for the future.

One last comment, and then I'll go.  There is a _lot_ of discussion and
upheaval internal to the Sun Cobalt Business Unit, Sun Enterprise
Services, etc, right now about our support offerings, our security (and
other) patch process, etc.  I'm the first to admit that there are
massive problems in this area.  For what it's worth, we _do_ care about
the products and their security, we _do_ care about the users.  It's
just unfortunate that the processes in place for providing support, etc,
are broken.

I'm "in the field" as the main part of my job, supporting and talking
with existing and potential customers on a daily basis.  Field personnel
constantly report problems, suggestions, etc, to the "home office."
There just has never been the right mechanism in place to respond/act on
this information, especially as we transitioned various pieces of the
Cobalt Networks organization into the much larger groups within Sun
Microsystems as Sun Cobalt was formed.  I am very hopeful, though, that
those who are working on the problem "as we speak" will come up with the
proper solutions, and within as short a timeframe as possible.

--
Bruce Timberlake
Sun Cobalt Technology Engineer
Sun Microsystems, Inc.