[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7367) [PATCH] MozNSS: update list of supported cipher suites

On 10/04/2012 03:19 PM, Quanah Gibson-Mount wrote:
> --On Wednesday, October 03, 2012 10:42 PM +0000 
> richm@stanfordalumni.org wrote:
>> This is quite off-topic, but I could not resist replying.
> Agreed, but Jan opened it up for discussion.
>> On 10/03/2012 03:29 PM, quanah@zimbra.com wrote:
>>> --On Wednesday, October 03, 2012 8:33 AM +0000 jvcelak@redhat.com 
>>> wrote:
>>>> I understand that you don't want to support older OpenLDAP versions,
>>>> builds  with non-default libraries, etc. But the users will rather use
>>>> the package  from their distribution, instead of compiling it by
>>>> themselves. And we cannot  support users' builds, because we do not 
>>>> have
>>>> the sources and the build  environment under control. And we cannot
>>>> rebase the packages freely.
>>> Redhat needs to come up with a solution to this problem, because 
>>> they are
>>> putting their users in a catch-22 situation.  Either they get support
>>> from RedHat for a package that will not work,
>> There are many Red Hat customers who are happy using the openldap server
>> that comes with the distribution, and they do escalate problems through
>> the support they are paying for, and they do get help and fixes that
>> they pay for.
> There are many people who use Red Hat.  There are many of those many 
> who don't use openldap at all.  There are many people just now 
> migrating to RHEL6.  My question would be -- Why is Red Hat being 
> reactive instead of proactive?  Upgrade your builds to include the 
> latest patch level.  Also, you may have "many" happy customers using 
> the distribution version, but I wonder how many would be "happy" if 
> they knew the risks they were being exposed to because Red Hat will 
> not update the build.  Like data loss in sync replication, etc.

If a customer reports such a problem, Red Hat will respond.

>>> or they build their own, and can't
>>> get support from RedHat.
>> Why should they get support from Red Hat if they build their own (in
>> which case they have to support it themselves, or use the openldap
>> community), or install 3rd party software (in which case they should get
>> support from whoever provided the software)?
> You missed my point entirely.  My point is they shouldn't have to 
> build it themselves in the first place.  Red Hat, as the provider, 
> should be a *responsible* entity, and upgrade the build being 
> provided, so none of their customers get put in the untenable 
> situation they now face.  Either build it themselves to get a working 
> OpenLDAP server and lose Red Hat support, or deal with the fact that 
> they are provided with a bad build.
>>> There are reasons new *patch* level releases are
>>> made.  I see zero reason why RedHat cannot update the versions of
>>> OpenLDAP they ship since the fixes are incremental.  No one should be
>>> running OpenLDAP 2.4.23 as a *production server*.
>> The openldap in RHEL6 is *not* a *stock* openldap 2.4.23.  They are
>> running 2.4.23 with many patches backported from later openldap
>> releases.  The current version is openldap-2.4.23-26.el6_3.2.x86_64 -
>> note the "-26" which means a lot more than 26 patches.
> Sorry, but the number "26" is quite unimpressive.

It is not meant to impress, just a statement of fact that the RHEL 
OpenLDAP 2.4.23 is not a stock 2.4.23, but contains many patches 
backported from 2.4.24 and later.

> How many of those 26 patches deal with fixing Red Hat's busted MozNSS 
> bits?

Many, not all.

> Your statement here is like having a mechanic tell me how much better 
> my vehicle is now because he replaced one of twelve bad spark plugs.

I did not mean to imply that more patches == better.  I just meant more 
patches == not stock 2.4.23.

> There have been approximately 450 committed fixes to RE24 since 2.4.23 
> was released.  So you have about 5% of the fixes in your build.  That 
> is just so very encouraging to hear, isn't it?  As a customer, 
> wouldn't you truly feel that Red Hat was doing its best for you, but 
> grabbing a full 5% of fixes to OpenLDAP?  And lets not forget a fair 
> number of those patches you have actually have zero to do with 
> OpenLDAP itself, but with MozNSS... So we're down to what?  3%?

If you will concede the point that quantity != quality, then so will I.

>>> Keep the RPM version string the
>>> same, and note the upstream release in the RPM patchlevel, if that is
>>> necessary, but fix the actual code to be current.
>> That's not what many Red Hat customers pay for.  They pay for very
>> stable releases with only critical patches applied.  The Red Hat
>> customers that want to use newer versions have many options - use Fedora
>> (which does track upstream openldap closely), build their own, go to
>> Symas, etc.
> As is often noted, Fedora is for "bleeding edge".  Patch level 
> releases are not bleeding edge.  They are INCREMENTAL FIXES.  If Red 
> Hat's goal is to provide a "stable release", then your current 
> strategy is utterly flawed. You aren't providing a stable release.  
> Your fixing your distribution to a *random* release, and then holding 
> all your customers to that release, regardless of how broken it might 
> be.  If your goal is truly to provide a stable release, then upgrade 
> the patch level.  If I was asking you to jump from 2.3 to 2.4, or 2.4 
> to 2.5, where the minor level was changing, I'd agree that would not 
> qualify as stable.  I'm not.  I'm saying be responsible, and do right 
> by your customers.  Given them actual stable builds of OpenLDAP, 
> instead of hiding behind this excuse of sticking to a specific version 
> for "stability".  You will notice that the OpenLDAP foundation does 
> not mark *any* release as "stable".  And that is because people would 
> use that in the same broken fashion Red Hat is applying here.

So moving from OpenLDAP 2.4.x to 2.4.x+1 does not introduce any new 
features or regressions, ever?

If this is really the case, then why would Debian or any other 
distribution not want to rebase every time OpenLDAP has a 2.4.x+1 
release?  The FAQ says ". . . upgrading to newer versions is often 
desireable but also means introducing change into stable releases, which 
is exactly opposite to the point of release stability".  So it's ok for 
Debian to take a hard line for release stability, but not Red Hat?  Or 
is your problem really that Red Hat doesn't openly proclaim that the 
OpenLDAP server included with the distribution is not for "a large site, 
a complicated installation" or the like?  So if Red Hat were to provide 
such a disclaimer, it would be ok for Red Hat to take a hard line for 
release stability?

>>> This is why the Debian folks *wisely* recommend that people do *not* 
>>> use
>>> the distribution build for a production server.
>> Can you point me to a link that has that statement in context?
> Absolutely.  They were kind enough to contribute it to the OpenLDAP 
> FAQ. I'm actually surprised you aren't familiar with it at this point, 
> given that I routinely note it on IRC and the mailing list:
> <http://www.openldap.org/faq/data/cache/1456.html>

So what's the difference between Debian and Red Hat with respect to 
OpenLDAP?  That is, why bash Red Hat's handling of OpenLDAP and not 
Debian stable?  I suppose the same thing applies to Red Hat - if a Red 
Hat customer has "a large site, a complicated installation, or problems 
for which [they] need to seek help here", they will probably be willing 
to pay extra for extra attention, in the form of adding additional 
resources to build and maintain OpenLDAP themselves, or hiring a firm 
like Symas.

>>> As long as RedHat keeps up this policy, the only advice ever for RedHat
>>> customers is to build their own RPMs, and get support elsewhere, since
>>> RedHat clearly can't keep working server versions together for their
>>> customers.
>> Clearly.  Except for the many customers who are quite happy.
> See above.  You say they are happy, but would they actually be happy 
> if they knew the risks Red Hat was knowingly putting their data 
> under?  And in that "happiness" quotient, are you counting the 
> increasing number of people emailing the -technical list and asking 
> question on IRC about why their OpenLDAP build is so broken?  I'm 
> think that is likely not the case.

Most of the complaints I see from users in the OpenLDAP community are 
about the TLS/SSL support in RHEL6.  Do you have evidence to the contrary?

As for other comments, see below.

>>> And then that leads to the question of what exactly they are
>>> paying RedHat for support for in the first place.
>> I like how you use "RedHat" instead of "Red Hat".
> I like how you avoided addressing my point.

I see your point.  I get it - the OpenLDAP community is not happy with 
the way Red Hat handles OpenLDAP.  If you are really, truly concerned 
about Red Hat customers using OpenLDAP software, what are you going to 
do about it?   If your goal is to get Red Hat to rebase OpenLDAP 
releases on a regular basis, how can you achieve that goal?  Complain to 
Jan and I in an OpenLDAP ITS?  Bash Red Hat to every user who has the 
temerity to use rhel/fedora/centos and ask a question in #ldap and 
#openldap and the OpenLDAP mailing lists?  If a critical mass of paying 
Red Hat customers tells Red Hat that they are not happy with OpenLDAP, 
then Red Hat will do something about it.  That's the demand side.

Red Hat (and probably all OS distributions) has the same problem to some 
extent with all upstream projects.  There are probably Apache upstream 
community members who are unhappy with the way Red Hat deals with Apache 

As for the supply side, if Jan and the other OpenLDAP maintainers feel 
that it is better to rebase than patch, then that's a good start.  They 
are the ones who are on the hook - it's their necks if things don't work 
correctly.  Once they convince themselves, then they have to convince 
QE, Doc, support, and management that it really is the best policy.  And 
part of it is Red Hat's policy towards release stability, which adds 
additional process, but is workable.

> --Quanah
> -- 
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration