Discussion on LTS OSes
-
@IRJ said in Linux OS Thoughts?:
Literally all the NIST, CIS, etc standards point to LTS and dont have benchmarks for Bleeding Edge.
And this, in turn, makes them complete and utter jokes with no place in a production environment. If they don't know computing basics (and they don't) they shouldn't be making recommendations. We know that these agencies are inept and at best decades behind the times. That they recommend LTS tells us a lot about if that's a good idea. Remember until just two years ago NIST was recommending insecure passwords because they couldn't keep up with decades old basic computer knowledge.
-
@IRJ said in Linux OS Thoughts?:
Stick to LTS versions (...hides)
what is LTS Versions vs. Bleeding Edge
-
@IRJ said in Linux OS Thoughts?:
You can argue that bleeding edge is better, but I want to know how.
Basic software engineering tells us this.... products that are more maintained and "alive" naturally win over those that are stagnant. LTS is a marketing term to make "stagnant" sound viable. It's only beneficial to ghost ship or very poorly updated software. As a software engineer, I only use LTS to screw the customer, never to make good software. It's so I can get away without maintaining or patching. It's so the risk is the customer's not mine, but the risk is magnified.
Bleeding edge is the WRONG term and nothing to do with what we are discussing. We are talking about LTS (aka stagnant) versus Current support. Ubuntu and Fedora are not rolling, nor bleeding. They are simply a six month update cycle compared to a longer update cycle.
-
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Literally all the NIST, CIS, etc standards point to LTS and dont have benchmarks for Bleeding Edge.
And this, in turn, makes them complete and utter jokes with no place in a production environment. If they don't know computing basics (and they don't) they shouldn't be making recommendations. We know that these agencies are inept and at best decades behind the times. That they recommend LTS tells us a lot about if that's a good idea. Remember until just two years ago NIST was recommending insecure passwords because they couldn't keep up with decades old basic computer knowledge.
A good portion of business that have any compliance requirements dont have a choice. Pretty much businesses that have any kinds of audits are going to need to meet benchmarks even if they arent specific to CIS or NIST. Nobody is able to provide valid benchmarks for Bleeding Edge as they change so much.
-
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Literally all the NIST, CIS, etc standards point to LTS and dont have benchmarks for Bleeding Edge.
And this, in turn, makes them complete and utter jokes with no place in a production environment. If they don't know computing basics (and they don't) they shouldn't be making recommendations. We know that these agencies are inept and at best decades behind the times. That they recommend LTS tells us a lot about if that's a good idea. Remember until just two years ago NIST was recommending insecure passwords because they couldn't keep up with decades old basic computer knowledge.
The hardening for RHEL is written by Red Hat, not NIST. So the benchmarks are made by the people that make the software...
-
@IRJ said in Linux OS Thoughts?:
Negatives about bleeding edge:
Often not supported
No available benchmarks
Higher chance for bugs as it gets untested releasesNone of these are true for what we are discussing. They are often MORE supported (Ubuntu they are the ONLY option for what IT calls support, and as that is the biggest OS, this is a big deal.) RHEL gives more phone support to LTS, but more coding support to current.
Benchmarks are easily available.
Higher chance of bugs based on what? I don't believe this to be true, especially in real world usage. It sounds plausible, but doesn't really hold up.
-
@stacksofplates said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Literally all the NIST, CIS, etc standards point to LTS and dont have benchmarks for Bleeding Edge.
And this, in turn, makes them complete and utter jokes with no place in a production environment. If they don't know computing basics (and they don't) they shouldn't be making recommendations. We know that these agencies are inept and at best decades behind the times. That they recommend LTS tells us a lot about if that's a good idea. Remember until just two years ago NIST was recommending insecure passwords because they couldn't keep up with decades old basic computer knowledge.
The hardening for RHEL is written by Red Hat, not NIST. So the benchmarks are made by the people that make the software...
Coincidentally I know this because I've contributed directly to SCAP remediations.
-
@IRJ said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Literally all the NIST, CIS, etc standards point to LTS and dont have benchmarks for Bleeding Edge.
And this, in turn, makes them complete and utter jokes with no place in a production environment. If they don't know computing basics (and they don't) they shouldn't be making recommendations. We know that these agencies are inept and at best decades behind the times. That they recommend LTS tells us a lot about if that's a good idea. Remember until just two years ago NIST was recommending insecure passwords because they couldn't keep up with decades old basic computer knowledge.
A good portion of business that have any compliance requirements dont have a choice. Pretty much businesses that have any kinds of audits are going to need to meet benchmarks even if they arent specific to CIS or NIST. Nobody is able to provide valid benchmarks for Bleeding Edge as they change so much.
That's unrelated to what is "good" or "secure". Politics and good business are opponents, not partners.
-
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Literally all the NIST, CIS, etc standards point to LTS and dont have benchmarks for Bleeding Edge.
And this, in turn, makes them complete and utter jokes with no place in a production environment. If they don't know computing basics (and they don't) they shouldn't be making recommendations. We know that these agencies are inept and at best decades behind the times. That they recommend LTS tells us a lot about if that's a good idea. Remember until just two years ago NIST was recommending insecure passwords because they couldn't keep up with decades old basic computer knowledge.
A good portion of business that have any compliance requirements dont have a choice. Pretty much businesses that have any kinds of audits are going to need to meet benchmarks even if they arent specific to CIS or NIST. Nobody is able to provide valid benchmarks for Bleeding Edge as they change so much.
That's unrelated to what is "good" or "secure". Politics and good business are opponents, not partners.
Sometimes you need both. Without requirements we would be in much worse shape. There has to be an audit process in place, and they has to be realistic time for it. Most of audit checks make perfect sense. Sure there is always weird requirements, but overall they surely are considered best practice.
-
@WrCombs said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Stick to LTS versions (...hides)
what is LTS Versions vs. Bleeding Edge
That's not a comparison. They are saying Bleeding Edge in an attempt to discredit "Current Releases." Bleeding edge is something wholly different.
LTS: Long Term Support. These are OS releases that are selected (every major vendor does this... Windows, RHEL, Ubuntu, Suse, etc.) to get "support" for a really long time with a guarantee that the code versions won't change. It's a locked release that you can install and use and get "support" for a long time. I say "support" because it's not always what it sounds like. Ubuntu doesn't offer anything we'd call actual support for their LTS, it's all a marketing thing not a tech thing.
Current Release: This is the current product release from a vendor. Windows, RH, Ubuntu, Suse all offer these. Windows, RH, and Ubuntu all have a ~6 month release cycle for current. Suse alone uses a rolling release model. None of these imply anything like cutting or bleeding edge, those terms would denote a misunderstanding of what releases are. A current release can easily include software that is decades old, nothing about it implies a faster release of packages. And if it did, Ubuntu LTS is also "Current" every 18 months, so if bleeding edge is bad, then their LTS is also bad because they would overlap.
Current selections of both....
Windows:
LTS: Windows LTSB 1809
Current: 1903Red Hat:
LTS: CentOS 8 / RHEL 8
Current: Fedora 30Ubuntu:
LTS: 1804
Current: 1910Suse:
LTS: OpenSuse Leap
Current: OpenSuse Tumbleweed -
@IRJ said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Literally all the NIST, CIS, etc standards point to LTS and dont have benchmarks for Bleeding Edge.
And this, in turn, makes them complete and utter jokes with no place in a production environment. If they don't know computing basics (and they don't) they shouldn't be making recommendations. We know that these agencies are inept and at best decades behind the times. That they recommend LTS tells us a lot about if that's a good idea. Remember until just two years ago NIST was recommending insecure passwords because they couldn't keep up with decades old basic computer knowledge.
A good portion of business that have any compliance requirements dont have a choice. Pretty much businesses that have any kinds of audits are going to need to meet benchmarks even if they arent specific to CIS or NIST. Nobody is able to provide valid benchmarks for Bleeding Edge as they change so much.
That's unrelated to what is "good" or "secure". Politics and good business are opponents, not partners.
Sometimes you need both. Without requirements we would be in much worse shape. There has to be an audit process in place, and they has to be realistic time for it. Most of audit checks make perfect sense. Sure there is always weird requirements, but overall they surely are considered best practice.
Sometimes you have to bow to politics over what is good for the business all things being equal. The law often demands or promotes reckless behaviour (like allowing faxes under HIPAA... absolutely criminal if the law didn't promote it.)
But that doesn't make the practice good, only required.
-
@stacksofplates said in Linux OS Thoughts?:
@Dashrender said in Linux OS Thoughts?:
@DustinB3403 said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@WrCombs said in Linux OS Thoughts?:
@DustinB3403 said in Linux OS Thoughts?:
@WrCombs said in Linux OS Thoughts?:
Learn linux - But with out the " "
Okay so let's break this down one more step. What about Linux do you want to learn?
If you looked at Linux like the day you go your learners permit, it's just learning what the tools are and how to use them. Is there something specific you are wanting to do with Linux?
looking at Linux Administration.
Oh, in the case, installing RHEL 8 is probably the best place to start.
Spend money on RHEL, really? When we were just telling him to not spend money on Windows 10 Pro for his work provided computer.
In a lab/home environment, sure that makes sense, but this is discussing his career. Which I would lean towards Fedora as a jump point.
RHEL is still free (as far as I know) it's just a HUGE PITA to get your hands on if you don't buy support for it.
You can get it for free through a dev account, but it's offered through CentOS as the free version unless you build it from source yourself.
Other than a name - what is the difference between CentOS and RHEL? it's my understanding that RHEL is a less rev'ed version of CentOS, which is a less rev'ed version of Fedora... in essence, it's LTS.
-
@DustinB3403 said in Linux OS Thoughts?:
@Dashrender said in Linux OS Thoughts?:
@DustinB3403 said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@WrCombs said in Linux OS Thoughts?:
@DustinB3403 said in Linux OS Thoughts?:
@WrCombs said in Linux OS Thoughts?:
Learn linux - But with out the " "
Okay so let's break this down one more step. What about Linux do you want to learn?
If you looked at Linux like the day you go your learners permit, it's just learning what the tools are and how to use them. Is there something specific you are wanting to do with Linux?
looking at Linux Administration.
Oh, in the case, installing RHEL 8 is probably the best place to start.
Spend money on RHEL, really? When we were just telling him to not spend money on Windows 10 Pro for his work provided computer.
In a lab/home environment, sure that makes sense, but this is discussing his career. Which I would lean towards Fedora as a jump point.
RHEL is still free (as far as I know) it's just a HUGE PITA to get your hands on if you don't buy support for it.
Interesting, but is there really a value to using RHEL without support?
Only for testing or claiming that you've used it.
-
@Dashrender said in Linux OS Thoughts?:
@stacksofplates said in Linux OS Thoughts?:
@Dashrender said in Linux OS Thoughts?:
@DustinB3403 said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@WrCombs said in Linux OS Thoughts?:
@DustinB3403 said in Linux OS Thoughts?:
@WrCombs said in Linux OS Thoughts?:
Learn linux - But with out the " "
Okay so let's break this down one more step. What about Linux do you want to learn?
If you looked at Linux like the day you go your learners permit, it's just learning what the tools are and how to use them. Is there something specific you are wanting to do with Linux?
looking at Linux Administration.
Oh, in the case, installing RHEL 8 is probably the best place to start.
Spend money on RHEL, really? When we were just telling him to not spend money on Windows 10 Pro for his work provided computer.
In a lab/home environment, sure that makes sense, but this is discussing his career. Which I would lean towards Fedora as a jump point.
RHEL is still free (as far as I know) it's just a HUGE PITA to get your hands on if you don't buy support for it.
You can get it for free through a dev account, but it's offered through CentOS as the free version unless you build it from source yourself.
Other than a name - what is the difference between CentOS and RHEL? it's my understanding that RHEL is a less rev'ed version of CentOS, which is a less rev'ed version of Fedora... in essence, it's LTS.
There's some package differences like subscription manager. But it's mostly branding.
-
@stacksofplates said in Linux OS Thoughts?:
@DustinB3403 said in Linux OS Thoughts?:
@scottalanmiller can explain what the fundamental differences is between LTS and anything bleeding edge.
To summarize it lazily, LTS is a set in time that is only updated for security concerns. BE is everything not that and you wanting to use the newest features as soon as they are released.
Yeah that's not true. Dot releases with CentOS/RHEL give you packages that weren't in previous releases. For example adding VDO in 7.5 or 7.6. By the way, I believe you still need copr on Fedora to install that (so not in upstream yet.).
New packages, but if they update old ones, it stops being an LTS and just becomes a different "current". But just adding something new and optional isn't the same as updating something old. MS follows the same rules.
-
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Literally all the NIST, CIS, etc standards point to LTS and dont have benchmarks for Bleeding Edge.
And this, in turn, makes them complete and utter jokes with no place in a production environment. If they don't know computing basics (and they don't) they shouldn't be making recommendations. We know that these agencies are inept and at best decades behind the times. That they recommend LTS tells us a lot about if that's a good idea. Remember until just two years ago NIST was recommending insecure passwords because they couldn't keep up with decades old basic computer knowledge.
A good portion of business that have any compliance requirements dont have a choice. Pretty much businesses that have any kinds of audits are going to need to meet benchmarks even if they arent specific to CIS or NIST. Nobody is able to provide valid benchmarks for Bleeding Edge as they change so much.
That's unrelated to what is "good" or "secure". Politics and good business are opponents, not partners.
Sometimes you need both. Without requirements we would be in much worse shape. There has to be an audit process in place, and they has to be realistic time for it. Most of audit checks make perfect sense. Sure there is always weird requirements, but overall they surely are considered best practice.
Sometimes you have to bow to politics over what is good for the business all things being equal. The law often demands or promotes reckless behaviour (like allowing faxes under HIPAA... absolutely criminal if the law didn't promote it.)
But that doesn't make the practice good, only required.
If HIPAA was anything like NIST , Holy shit would we be in good shape in comparison. If you have dealt with the two, you will realize there is no comparing the two.
HITRUST is well trusted in the medical field. They are difficult to acheive and take years of work in some cases to acheive HiTRUST.
HIPAA is literally bullshit that is well below common sense knowledge.
-
@scottalanmiller said in Linux OS Thoughts?:
@WrCombs said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Stick to LTS versions (...hides)
what is LTS Versions vs. Bleeding Edge
That's not a comparison. They are saying Bleeding Edge in an attempt to discredit "Current Releases." Bleeding edge is something wholly different.
LTS: Long Term Support. These are OS releases that are selected (every major vendor does this... Windows, RHEL, Ubuntu, Suse, etc.) to get "support" for a really long time with a guarantee that the code versions won't change. It's a locked release that you can install and use and get "support" for a long time. I say "support" because it's not always what it sounds like. Ubuntu doesn't offer anything we'd call actual support for their LTS, it's all a marketing thing not a tech thing.
Current Release: This is the current product release from a vendor. Windows, RH, Ubuntu, Suse all offer these. Windows, RH, and Ubuntu all have a ~6 month release cycle for current. Suse alone uses a rolling release model. None of these imply anything like cutting or bleeding edge, those terms would denote a misunderstanding of what releases are. A current release can easily include software that is decades old, nothing about it implies a faster release of packages. And if it did, Ubuntu LTS is also "Current" every 18 months, so if bleeding edge is bad, then their LTS is also bad because they would overlap.
Current selections of both....
Windows:
LTS: Windows LTSB 1809
Current: 1903Red Hat:
LTS: CentOS 8 / RHEL 8
Current: Fedora 30Ubuntu:
LTS: 1804
Current: 1910Suse:
LTS: OpenSuse Leap
Current: OpenSuse TumbleweedActually 1909 has been released officially.
-
@Dashrender said in Linux OS Thoughts?:
@scottalanmiller said in Linux OS Thoughts?:
@WrCombs said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Stick to LTS versions (...hides)
what is LTS Versions vs. Bleeding Edge
That's not a comparison. They are saying Bleeding Edge in an attempt to discredit "Current Releases." Bleeding edge is something wholly different.
LTS: Long Term Support. These are OS releases that are selected (every major vendor does this... Windows, RHEL, Ubuntu, Suse, etc.) to get "support" for a really long time with a guarantee that the code versions won't change. It's a locked release that you can install and use and get "support" for a long time. I say "support" because it's not always what it sounds like. Ubuntu doesn't offer anything we'd call actual support for their LTS, it's all a marketing thing not a tech thing.
Current Release: This is the current product release from a vendor. Windows, RH, Ubuntu, Suse all offer these. Windows, RH, and Ubuntu all have a ~6 month release cycle for current. Suse alone uses a rolling release model. None of these imply anything like cutting or bleeding edge, those terms would denote a misunderstanding of what releases are. A current release can easily include software that is decades old, nothing about it implies a faster release of packages. And if it did, Ubuntu LTS is also "Current" every 18 months, so if bleeding edge is bad, then their LTS is also bad because they would overlap.
Current selections of both....
Windows:
LTS: Windows LTSB 1809
Current: 1903Red Hat:
LTS: CentOS 8 / RHEL 8
Current: Fedora 30Ubuntu:
LTS: 1804
Current: 1910Suse:
LTS: OpenSuse Leap
Current: OpenSuse TumbleweedActually 1909 has been released officially.
That's what I got on my new laptop.. weird.
-
@scottalanmiller said in Linux OS Thoughts?:
@WrCombs said in Linux OS Thoughts?:
@IRJ said in Linux OS Thoughts?:
Stick to LTS versions (...hides)
what is LTS Versions vs. Bleeding Edge
That's not a comparison. They are saying Bleeding Edge in an attempt to discredit "Current Releases." Bleeding edge is something wholly different.
LTS: Long Term Support. These are OS releases that are selected (every major vendor does this... Windows, RHEL, Ubuntu, Suse, etc.) to get "support" for a really long time with a guarantee that the code versions won't change. It's a locked release that you can install and use and get "support" for a long time. I say "support" because it's not always what it sounds like. Ubuntu doesn't offer anything we'd call actual support for their LTS, it's all a marketing thing not a tech thing.
Current Release: This is the current product release from a vendor. Windows, RH, Ubuntu, Suse all offer these. Windows, RH, and Ubuntu all have a ~6 month release cycle for current. Suse alone uses a rolling release model. None of these imply anything like cutting or bleeding edge, those terms would denote a misunderstanding of what releases are. A current release can easily include software that is decades old, nothing about it implies a faster release of packages. And if it did, Ubuntu LTS is also "Current" every 18 months, so if bleeding edge is bad, then their LTS is also bad because they would overlap.
Current selections of both....
Windows:
LTS: Windows LTSB 1809
Current: 1903Red Hat:
LTS: CentOS 8 / RHEL 8
Current: Fedora 30Ubuntu:
LTS: 1804
Current: 1910Suse:
LTS: OpenSuse Leap
Current: OpenSuse TumbleweedThat makes a lot more sense.
-
@scottalanmiller said in Linux OS Thoughts?:
@stacksofplates said in Linux OS Thoughts?:
@DustinB3403 said in Linux OS Thoughts?:
@scottalanmiller can explain what the fundamental differences is between LTS and anything bleeding edge.
To summarize it lazily, LTS is a set in time that is only updated for security concerns. BE is everything not that and you wanting to use the newest features as soon as they are released.
Yeah that's not true. Dot releases with CentOS/RHEL give you packages that weren't in previous releases. For example adding VDO in 7.5 or 7.6. By the way, I believe you still need copr on Fedora to install that (so not in upstream yet.).
New packages, but if they update old ones, it stops being an LTS and just becomes a different "current". But just adding something new and optional isn't the same as updating something old. MS follows the same rules.
Yeah that's not true. They definitely update packages. RHEL/CentOS 7.1 had NetworkManager-1.0.0-16. RHEL/CentOS 7.6 has 1.18.0-5. Just one example.
They definitely update packages as dot releases come out.
