undefined | Better HN

0 pointsThA0x26y ago0 comments

RHEL 6 is end of life (product retirement) this November. ELS indeed extends out till 2024, but that's after the product has been officially retired/EOLed.

Essentially, come November, there will not be a generally supported Linux OS that will have this issue.

0 comments

3 comments · 1 top-level

1e-96y ago· 2 in thread

You seem to be arguing that there will be no need to use the --random-source option after November. If so, that is incorrect in my view.

ELS versions receive critical security fixes and urgent bug fixes until the end of their support. They are used right up to end of support, or even beyond in some cases.

RHEL 5 ELS will be supported thru November 30, 2020 and RHEL 6 ELS will be supported thru June 30, 2024.

This implies there will be RHEL 5 ELS users for at least 5 more months and there will be RHEL 6 ELS users for at least 4 more years.

So, for at least four more years, it appears there will be users who should use the --random-source option with shuf if they want to be cryptographically secure.

ThA0x2OP6y ago

>You seem to be arguing that there will be no need to use the --random-source option after November. If so, that is incorrect in my view.

The argument is that if you're on a currently supported, non-EOL Linux OS, you will not have this issue after November (since at that point in time, the RHEL 6 will be past end of life).

>ELS versions receive critical security fixes and urgent bug fixes until the end of their support. They are used right up to end of support, or even beyond in some cases, although that is certainly not recommended.

ELS versions are considered past EOL, and past Maintenance Support I & II. They will not be supported for new installs, will be out of compliance for PCI DSS, HIPPA, almost all third party vendor software, will not be certified on new hardware, etc. They are past their ten year lifecycle.

https://endoflife.software/operating-systems/linux/red-hat-e... https://access.redhat.com/support/policy/updates/errata/#Ext...

Of course the few people on RHEL 6 will have to use the additional --random-source option, but the amount of people that this affects is in the single percentage point, or less.

Nothing is stopping someone from spinning up RHEL 5 three years from now and running my original command.

My original statements and points stand true. You were originally wrong to think that shuf is cryptographically insecure. It's been cryptographically secure for quite a while now.

1e-96y ago

> The argument is that if you're on a currently supported, non-EOL Linux OS, you will not have this issue after November (since at that point in time, the RHEL 6 will be past end of life).

Limiting to only non-EOL and to only future timelines after November are your own chosen statement limitations, not mine.

My statement that the shuf default is insecure for certain versions is correct and I have provided specific examples. There may be other examples, but I only need one to establish truth.

End of life dates have no bearing on my statement. You seem to be trying to change my statement into something else so you can say it is incorrect.

You can narrow your own statements to only include versions and future timelines that you think are important, which is fine, but it doesn't help those who will still be using the affected versions for years to come. The ELS versions exist for a reason, which should be clear from the fact that Red Hat is a for-profit entity. There is a significant number of projects in areas such as industrial control, defense, and finance, that place a high value on stability and they want that extra timeline that extends far beyond end of life.

1 more reply

j / k navigate · click thread line to collapse