[forgotAgain]

Until now I agreed and have used Ubuntu for several years. I was however taken by surprise by how out of the mainstream Ubuntu seemed to security folks when Heartbleed was being identified and it's fix promulgated. https://news.ycombinator.com/item?id=7592244

It left me wondering if Redhat's contributions to the security community give it a leg up. Any "cloud platform of choice" needs to be a first tier security platform. The Heartbleed bug shows that it may not be.

[cowsandmilk]

Despite being left out of that initial communication, Ubuntu released an update before Red Hat (as far as I could tell).

Ubuntu patch on April 7 at 22:01 https://lists.ubuntu.com/archives/ubuntu-security-announce/2...

Red Hat patch on April 8 at 03:21 https://www.redhat.com/archives/rhsa-announce/2014-April/msg...

[agwa]

That timeline shows that Red Hat knew about Heartbleed exactly 14 minutes before the other distros did. Hardly sounds like a "leg up" to me.

The Heartbleed disclosure was kind of botched, but in general things go more smoothly, with all the major distros being informed ahead of time and having time to prepare patches. For example, see the Xen privilege escalation vulnerability in 2012, and the PostgreSQL remote execution vulnerability in 2013. In both cases, Ubuntu was informed ahead of time and had updates ready to roll when the vulnerability was publicly disclosed.

[forgotAgain]

Several of the OpenSSL contributors are RedHat employees. I would presume that Redhat learned of the problem when OpenSSL learned of the problem.

[kapilvt]

out of touch how?

the ubuntu pkg security update for openssl/heartbleed was available the same day of the public announcement, without the benefit of prior notification (unlike redhat who had prior notice and released their fix a day after the public announcement).

http://lwn.net/Articles/593861/

[rlpb]

It isn't clear to me whether "which OpenSSL forwarded to Red Hat and others" includes Canonical or not. It is clear that Red Hat was included by that statement, but what makes you think that this is a bias in who received a direct notification, as opposed to a bias of the author of this particular article?

[Daviey]

Mark J. Cox (RH) emailed the distro's mailing list inviting anyone on this very closed list to contact Red Hat SRT asking for details.

(http://www.openwall.com/lists/oss-security/2014/04/08/10)

[andreasvc]

I don't get what you're saying. From a cursory reading of your link, I don't see anything Ubuntu did wrong, it just seems that things moved very quickly with the disclosure. Am I missing something?

[forgotAgain]

I'm saying that Ubuntu needs be contributing more to OS security and that those who do contribute naturally have better information on security issues.

[jebblue]

I'll stick with Ubuntu, it feels good to know they aren't part of some GOBN clique but stand on their own.