[CentOS-devel] about cc-eal4-config-rhel62

Wed Nov 7 08:05:21 UTC 2012
An Yang <an.euroford at gmail.com>

On 2012-11-06  06:47 -0600,Johnny Hughes wrote: 

> On 11/06/2012 03:07 AM, An Yang wrote:
> > Hi all,
> > 
> > Redhat announced that RHEL6 got EAL4+ certification at last week, and 
> > Redhat released cc-eal4-config-rhel62-0.33-1.noarch.rpm in RHEL6's repo,
> > I think CentOS6.2 should got the same EAL4+ security level.
> > Is that possible to add this package in CentOS6's repo?
> > 
> > Bests,
> > An Yang
> Reproducing the bits is not reproducing the certification ... becoming
> EAL4+ certified is a hugely expensive proposition.

What in the package are only the configure files and an evaluation
guide, and with these guide, the users of CentOS will have an easiest
way to secure their servers.
I think just putting this package in CentOS' repo do not mean CentOS
have any relationship with the certification of EAL4+, and just let the
users know CentOS got all the capabilities of EAL4+ security level. 

> This is what EAL is:
> http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
> As you can see, this certification process for EAL4+ is a 2 year,
> $350,000.00 dollar process.  To the best of my knowledge, RHEL and SLES
> are the only EAL certified Linux distros out there ... and that does not
> include their Fedora or OpenSUSE variants.  My research shows that
> Debian and Ubuntu (as examples) are not EAL certified either.
> Not only that, there is RHEL specific documentation about the EAL4+
> certification process in that SRPM.
> If we replace all the RHEL specific language in said documentation, we
> would be claiming CentOS has EAL4+ certification, which it does not.  We
> can not publish something that claims EAL4+ certification (or even EAL
> testing) for CentOS.
> That SRPM is easy enough to compile, so people can compile it if they
> want ... but if someone is in the least bit interested in EAL4+
> certification for a machine because they actually need that
> certification, then they need to buy a RHEL subscription.
> Red Hat charges money for their products specifically so that they can
> perform expensive certifications like this and provide that
> certification to their subscribers.
> That is my take.
> Thanks,
> Johnny Hughes
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20121107/eefd1590/attachment-0005.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20121107/eefd1590/attachment-0005.sig>