[CentOS] Redhat vs centos vs ubuntu

Thu Nov 10 16:59:42 UTC 2011
Lamar Owen <lowen at pari.edu>

On Thursday, November 10, 2011 10:33:38 AM Craig White wrote:
> [Ubuntu is] different - not better, not worse (save for the fact that with Ubuntu I have been able to get timely updates this year). Also, I much prefer their packaging of Apache & BIND9 to Red Hat's.
> If your expectation was that you could take your limited knowledge base and apply it equally across all Linux distributions and expect it to behave as a Red Hat derived system, then all other distributions will disappoint you. 

While this is not the CentOS-advocacy list, I do want to mention that if the tradeoff is between a secure (from a firewall and mandatory access control (MAC) standpoint) system and a system with more timely updates, I think I'd rather have the system that is more secure out of the box on the firewall side, SElinux (the upstream-preferred MAC solution) notwithstanding.

Too much choice can be worse than sane defaults; and I say this after doing many installs of the following distributions of Linux, and some non-Linux *nix:
SLS (go look it up)
Red Hat Linux (pre-Enterprise) and derivatives, including Fedora, CentOS, SL, etc.
Caldera OpenServer
Gentoo Stage 1 (on Alpha, no less)
Debian (multiple toys^H^H^H^Hversions (codename pun), multiple architectures)
Ubuntu/Kubuntu of multiple versions, desktop and server, multiple architectures
And some minor specialized distributions, including the free and the commercial versions of Smoothwall.
OpenBSD, multiple architectures
IRIX (6.5.x, Indigo2, O2, and Octane)
Apollo DomainOS 10
Solaris 9 and 10
Tandy Xenix, both V7 based and System III, from 8 inch floppies on a Tandy 6000
AT&T/Convergent Unix System V Release 2 on 3B1
4.3BSD on a DEC PDP 11/23 (70MB MFM disk.....)

Of the PC things, SLS was probably the most fun to do, but that's primarily because that was so long ago and even Windows 95 was available on floppies.... and it was just so cool to run a *nix on the 386SX box.... the coolness factor has definitely worn off.

So I'm in somewhat of a position to comment on what I want and don't want from an install, be it text or GUI. Regardless of ease of install, I very much want/desire/need something that once the initial no-internet-connection install is complete the box comes up with things pretty well locked down by default.  CentOS/SL/upstream EL does this, by default, and that is good, updates or no updates.  Updates are no more of a panacea than firewalls are.

If you doubt the speed at which a non-locked-down system can be exploited, take a 1990s vintage copy of, say, RHL 6.2, go ahead and pre-download the last set of updates for that distribution, do the install on a public IP with no firewall appliance in front of you, and see if you can get the updates installed before you're pwned.  

This is the world we live in, especially with advanced persistent threats gaining internal network access; firewalling, even on the inside, is no longer optional for a server install.  The firewall of course is but one layer in the security of the system; MAC helps immensely, as do proactive NAC/IDS/IPS setups.  As the theme song of the USA television series 'Monk' says, it's a jungle out there....