[CentOS-devel] about cc-eal4-config-rhel62

Tue Nov 6 12:47:45 UTC 2012
Johnny Hughes <johnny at centos.org>

On 11/06/2012 03:07 AM, An Yang wrote:
> Hi all,
> Redhat announced that RHEL6 got EAL4+ certification at last week, and 
> Redhat released cc-eal4-config-rhel62-0.33-1.noarch.rpm in RHEL6's repo,
> I think CentOS6.2 should got the same EAL4+ security level.
> Is that possible to add this package in CentOS6's repo?
> Bests,
> An Yang

Reproducing the bits is not reproducing the certification ... becoming
EAL4+ certified is a hugely expensive proposition.

This is what EAL is:

As you can see, this certification process for EAL4+ is a 2 year,
$350,000.00 dollar process.  To the best of my knowledge, RHEL and SLES
are the only EAL certified Linux distros out there ... and that does not
include their Fedora or OpenSUSE variants.  My research shows that
Debian and Ubuntu (as examples) are not EAL certified either.

Not only that, there is RHEL specific documentation about the EAL4+
certification process in that SRPM.

If we replace all the RHEL specific language in said documentation, we
would be claiming CentOS has EAL4+ certification, which it does not.  We
can not publish something that claims EAL4+ certification (or even EAL
testing) for CentOS.

That SRPM is easy enough to compile, so people can compile it if they
want ... but if someone is in the least bit interested in EAL4+
certification for a machine because they actually need that
certification, then they need to buy a RHEL subscription.

Red Hat charges money for their products specifically so that they can
perform expensive certifications like this and provide that
certification to their subscribers.

That is my take.

Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20121106/abc7b353/attachment-0005.sig>