Comments on: Risk report: Two years of Red Hat Enterprise Linux 4

by: Prashant

Wed, 19 Mar 2008 10:10:03 +0000

Very use full document for risk mang.

by: Steven Pass

Wed, 06 Jun 2007 02:22:37 +0000

The title of the report is “Risk report: Two years of Red Hat Enterprise Linux 4″. It’s only toward the end where it states that the report was for “security risks”.
There was a lot of talk about updates for security and vunerabilities. What about updates for stability issues? Updates due to coding issues, memory leaks, etc. For an enterprise, these are also “risks” in deciding to use Red Hat.

by: Peter K

Fri, 04 May 2007 06:58:24 +0000

First I’d like to say thank you for a very well written summary. I’m looking forward to future summaries (EL5 one yesr, EL3, EL4 3 or 4…).

I also found the security feature table interesting. It would have been great to have a column for EL5.

by: Eric Feldhusen

Thu, 26 Apr 2007 16:56:17 +0000

Another interesting metric would be to see how a “minimal” install does for security. Most of my RHEL3/4/5 servers are done with a minimal install specifically for security reasons.

by: Mark Cox

Mon, 23 Apr 2007 02:46:56 +0000

It is actually interesting to look at RHEL3. Because of our policy of backporting security fixes where possible, as the distribution gets older we are affected by a lower proportion of vulnerabilities: RHEL3 in its 3.4 years has only had 3 more critical vulnerabilities than RHEL4 in its 2 years. I’ll look at doing a summary this year, or at least “4 years of RHEL3″ by November, thanks for the feedback.

by: jason andrade

Sun, 22 Apr 2007 17:22:43 +0000

Will there be a risk report for RHEL3 also ? It would be extremely useful to have this sort of report being released annually for each of the main releases (3/4/5).

-j

by: Colin Wilson

Fri, 20 Apr 2007 10:43:56 +0000

This is a very well constructed summary. It is both informative and objective, and sets the standard for what to expect from any OS vendor. Thank you for doing such a professional job on it.

by: Mark Cox

Fri, 20 Apr 2007 07:24:04 +0000

Various reports have tried to compare operating systems from different vendors, some by comparing numbers of vulnerabilities, others looking at days of risk, some recent ones even written by the competing vendor themselves. You can pretty much get whatever results you like from such comparisons by simply carefully choosing the initial conditions or ignoring differences in disclosure and policies. I think it’s far more useful to let RHEL4 users get a good picture of the risk they faced, and with our raw data available they can tailor it to their environment and way they use RHEL4. For example we treat an issue as severity important if an local user can cause a machine to crash, but if you are in an environment where that isn’t an issue (maybe you don’t have untrusted local users or maybe crashes are not a big deal) then you can rerun our stats accordingly.

by: midi-man

Fri, 20 Apr 2007 07:04:18 +0000

Nice article I would have like a side by side comparison with windows it might have been a nice think to have to see which OS is better at security.