Hacker News new | comments | show | ask | jobs | submit login

> Redhat have an obligation to make reasonable effort to keep malicious code out of their supported software.

No. read the license terms. For all Linux distro, there is a clear mention that the software is provided as is, and they are in no way responsible for whatever happens with it. Very standard. So absolutely no legal standing and therefore no obligation.




There’s a social and economic understanding that Redhat works hard to keep malicious code out of their distributions.

That doesn’t exist with containers pulled from joevandyk/postgresql.


That is specific to the Linux code itself which is taken from upstream. Linux distro vendors provide a contractual relationship with their customer base that provide SLA's around patching security defects and bugs. They also enforce policies around uptake of new third party code. They also do extensive patching of all of their packages to mitigate the vulnerabilities that upstream providers do not patch. There is much more to this that would take a blog entry to explain.


> That is specific to the Linux code itself which is taken from upstream.

No, I don't believe that's the case.

> Linux distro vendors provide a contractual relationship with their customer base that provide SLA's around patching security defects and bugs.

I don't think many - if any - GNU/Linux distro vendors provide anything like that.

RHEL may - it's been a while since I've read a RH contract - but most distributions, as noted by parent, make it quite clear in the licence agreement that everything is provided as is and is sold without any warranty or assurance of suitability etc.

> They also enforce policies around uptake of new third party code.

Is third party code here the same as 'upstream' in the first take? 99% of most distributions code is 'third party' or 'upstream' in the sense it comes from people other than distribution maintainers.

> They also do extensive patching of all of their packages to mitigate the vulnerabilities that upstream providers do not patch.

I know Debian does this, and I trust them with the process. I'm not a big fan of RedHat, but I also know they have an excellent reputation on this front.

It doesn't change the fact that licences clearly put responsibility on the user not the distributor.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: