undefined | Better HN

0 points1e-96y ago0 comments

> The argument is that if you're on a currently supported, non-EOL Linux OS, you will not have this issue after November (since at that point in time, the RHEL 6 will be past end of life).

Limiting to only non-EOL and to only future timelines after November are your own chosen statement limitations, not mine.

My statement that the shuf default is insecure for certain versions is correct and I have provided specific examples. There may be other examples, but I only need one to establish truth.

End of life dates have no bearing on my statement. You seem to be trying to change my statement into something else so you can say it is incorrect.

You can narrow your own statements to only include versions and future timelines that you think are important, which is fine, but it doesn't help those who will still be using the affected versions for years to come. The ELS versions exist for a reason, which should be clear from the fact that Red Hat is a for-profit entity. There is a significant number of projects in areas such as industrial control, defense, and finance, that place a high value on stability and they want that extra timeline that extends far beyond end of life.

0 comments

2 comments · 1 top-level

ThA0x26y ago· 1 in thread

>Limiting to only non-EOL and to only future timelines after November are your own chosen statement limitations, not mine.

My statement was a Linux OS after 2013ish, which means RHEL 7 and Ubuntu 13.02. RHEL 6/5 are not from 2013 or later.

>My statement that the shuf default is insecure for certain versions is correct and I have provided specific examples. There may be other examples, but I only need one to establish truth.

There are certain default versions of the kernel, bash, etc. that are insecure for certain versions of Linux OS releases. Your statement is meaningless. You can go back in time and find an insecure version of a piece of software, that's almost always true, you established effectively nothing. Whether or not anyone is using that version is what's meaningful.

You might as well be warning people not to visit https://correcthorse.pw/ on the default Firefox that ships with RHEL 5 because it had insecure defaults.

>End of life dates have no bearing on my statement. You seem to be trying to change my statement into something else so you can say it is incorrect.

It does, as I stated and proved above. Everything you've said is pretty much incorrect, which is the problem.

>You can narrow your own statements to only include versions and future timelines that you think are important, which is fine, but it doesn't help those who will still be using the affected versions for years to come.

Effectively no one is going to use the impacted versions for years to come. I doubt there are any users reading this comment thread who use RHEL 6 for password generation.

>The ELS versions exist for a reason, which should be clear from the fact that Red Hat is a for-profit entity.

They exist for the same reason Windows will sell you support for Windows XP, even though that product is also EOL. Are you going to warn the .x% of users that are using Windows XP to not even connect to the Internet?

>There is a significant number of projects in areas such as industrial control, defense, and finance, that place a high value on stability and they want that extra timeline that extends far beyond end of life.

Finance definitely places a high value on being on supported versions. As a matter of fact, it's against PCI DSS to be on EOL products. They have entire audit and compliance teams to ensure they're not on EOL products.

1e-9OP6y ago

> Are you going to warn the .x% of users that are using Windows XP to not even connect to the Internet?

Sure. The fact that more than 1% of Windows PCs still run XP suggests that additional warning is merited.

Please don't connect to the internet with Windows XP. It's not safe. Extended support ended in 2014.

j / k navigate · click thread line to collapse