[nSLUG] LTS considered harmful

Daniel AJ Sokolov daniel at falco.ca
Mon Mar 13 13:26:27 ADT 2017


Can you provide more background/examples?

And who is no allowed to upgrade?

Thank you
Daniel AJ


On 2017-03-11 at 12:01, George N. White III wrote:
> Last year, Obama issued an order that all US Gov't public facing web
> servers use https.
> It seems this also affects  public facing web servers operated by
> contractors, such as
> hdfgroup.org <http://hdfgroup.org>.  The NASA systems I use are
> configured to "Mozilla Modern" standards
> (https://wiki.mozilla.org/Security/Server_Side_TLS):
> 
> "For services that don't need backward compatibility, the parameters
> below provide a higher level of security. This configuration is
> compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera
> 17, Safari 9, Android 5.0, and Java 8."  
> 
> As the hackers move to softer targets in other countries, similar
> configurations are going to be needed in Canada.
> 
> This list omits many real-world clients (python scripts, git, etc), so
> in practice, Ubuntu 14.04 (LTS) support for https in git doesn't work
> because git was built with libcurl that uses an old gnutls library.  
> Many sites ran into trouble because they aren't allowed to upgrade LTS linux
> until year 5, nor are they supposed to replace vendor-supplied tools.  
> Linux was not alone in being  caught using obsolete libraries, current
> macOS python ssl is linked to a very old openssl library. 
> 
> Given the current security environment, a 5-year "LTS" model doesn't
> work for systems that need to connect to internet servers.  Firefox,
> Chrome, and Java provide their own TLS implementations.    Anaconda
> python includes newer TLS libraries with tools such as git and curl.  
> Maybe it is time to have "Mozilla Modern network tools for LT linux".
> 
> -- 
> George N. White III <aa056 at chebucto.ns.ca <mailto:aa056 at chebucto.ns.ca>>
> Head of St. Margarets Bay, Nova Scotia
> 
> 
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
> 



More information about the nSLUG mailing list