[OpenIndiana-discuss] OpenIndiana roadmap

Tue Feb 19 13:23:58 UTC 2013

On 2013-02-19 13:25, Sašo Kiselkov wrote:
> It might seem like a fine idea for a business, but for me this is a deal
> breaker. I have lots of OI systems, some for personal use, some for
> business use, and all of them need security fixes. I don't want to have
> to pay for support on machines which generate zero revenue.

Makes sense.

> Also, how do you enforce this? Will you make access to security
> repositories subscriber-only? And how will you manage subscriptions? How
> will you manage machine IDs? This necessarily forces you to close off
> portions of OI code, which is a dangerous path to take.

I believe RedHat and its spin-offs (Fedora as a bleeding edge
experiment, and CentOS as a rebadged clone) have set a nice
example here, especially the latter. All the source is open as
GPL requires, and AFAIK CentOS is a rebuild of the same code in
the same conditions as the main RHEL distro. The only difference
is the right (license) to use RedHat's IP in the form of name
and logo, which is granted only to its official paid-for distro.

Also, the paid-for distro users have someone to complain to in
case of bugs/RFEs, and the community (including free spinoff
users) have the results for free, but later (after testing,
rebuilds, etc.) Qualified users are free to pull the source
code updates and constantly rebuild their free OSes if they
like, but the general populace would likely wait for new RPM
revisions to appear and become automatically downloaded and
applied to their installation.

As for user identification, Oracle MOS has an example with
individual user certificates issued for support contract
holders, to access IPS repos over HTTPS. On one hand, these
certificates automatically have an expiration date which
forces one to continue buying support and automates the
non-provision of commercial updates to unpaid users. On
another hand this allows to track the usage - i.e. how
many IP addresses downloaded a patch with certain user
certificate, or even how many times it has been used for
the same patch in a short timeframe (though... then what
about updates of many local zones...)?

If you want to go Nazi about forcing people to buy support
for each machine - there are simple ways to do it. They
might be circumvented (i.e. use the user-cert on some LAN
replicator of IPS packages), but this might not be worth it
especially if support is kept relatively cheap and the users
follow an honor system to have this OS alive at all.

The individual users might get the same patches via source
(illumos-gate, etc. - subject to their ability to build this
and receive the same resulting binaries which work like the
QA'd releases) and/or by quarterly community releases, etc.

This way, the code needs not be closed, and there is an
ability to fund the project (both branches) as well as gain
free users and more common awareness. And compliance-bound
users have someone to blame for security breaches ;)

Though, possibly, this is what undermined Sun - OpenSolaris
SXCE which was way more functional than Solaris 10 and free
to use at that ;)

//Jim