[nSLUG] LTS considered harmful
George N. White III
gnwiii at gmail.com
Mon Mar 13 14:39:58 ADT 2017
On 13 March 2017 at 13:26, Daniel AJ Sokolov <daniel at falco.ca> wrote:
> Can you provide more background/examples?
(At one time you could view this forum without a login, but that may have
The NASA EOSDIS login is free, but you might have to qualify under US
restrictions to get a login. There are concerns that EOSDIS will be
NASA's new focus.)
For user impacts, key threads are:
> And who is no allowed to upgrade?
Large sites with significant investments in hardware. Think of the remote
data ingestion for operational weather models. These big purchases are
thru a bidding process, require "threat-risk assessment" (TRA), etc. The
may require hiring a consultant and will impose conditions on how the system
is used. Hardware has to be qualified against the OS, etc. Typically,
systems are locked up and IT provides hardware maintenance, installs OS
updates and apps from an approved list. Users are stuck with the base OS
the hardware is replaced, at which time you get a newer base OS. There is
often a cycle of testing for OS updates from the vendor before they are
on the "production" systems.
> Daniel AJ
> On 2017-03-11 at 12:01, George N. White III wrote:
> > Last year, Obama issued an order that all US Gov't public facing web
> > servers use https.
> > It seems this also affects public facing web servers operated by
> > contractors, such as
> > hdfgroup.org <http://hdfgroup.org>. The NASA systems I use are
> > configured to "Mozilla Modern" standards
> > (https://wiki.mozilla.org/Security/Server_Side_TLS):
> > "For services that don't need backward compatibility, the parameters
> > below provide a higher level of security. This configuration is
> > compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera
> > 17, Safari 9, Android 5.0, and Java 8."
> > As the hackers move to softer targets in other countries, similar
> > configurations are going to be needed in Canada.
> > This list omits many real-world clients (python scripts, git, etc), so
> > in practice, Ubuntu 14.04 (LTS) support for https in git doesn't work
> > because git was built with libcurl that uses an old gnutls library.
> > Many sites ran into trouble because they aren't allowed to upgrade LTS
> > until year 5, nor are they supposed to replace vendor-supplied tools.
> > Linux was not alone in being caught using obsolete libraries, current
> > macOS python ssl is linked to a very old openssl library.
> > Given the current security environment, a 5-year "LTS" model doesn't
> > work for systems that need to connect to internet servers. Firefox,
> > Chrome, and Java provide their own TLS implementations. Anaconda
> > python includes newer TLS libraries with tools such as git and curl.
> > Maybe it is time to have "Mozilla Modern network tools for LT linux".
> nSLUG mailing list
> nSLUG at nslug.ns.ca
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG