[OpenIndiana-discuss] OpenIndiana roadmap

[Sašo Kiselkov]

On 02/19/2013 02:23 PM, Jim Klimov wrote:
> I believe RedHat and its spin-offs (Fedora as a bleeding edge
> experiment, and CentOS as a rebadged clone) have set a nice
> example here, especially the latter. All the source is open as
> GPL requires, and AFAIK CentOS is a rebuild of the same code in
> the same conditions as the main RHEL distro. The only difference
> is the right (license) to use RedHat's IP in the form of name
> and logo, which is granted only to its official paid-for distro.

You don't get access to RedHat's repos without paying. There are some
portions of the code that CentOS doesn't ship (such as the policy
enforcement libraries). In this respect, RHEL is closer to what Solaris
was before the Oracle takeover (a closed-source distro built from freely
available sources).

> Also, the paid-for distro users have someone to complain to in
> case of bugs/RFEs, and the community (including free spinoff
> users) have the results for free, but later (after testing,
> rebuilds, etc.) Qualified users are free to pull the source
> code updates and constantly rebuild their free OSes if they
> like, but the general populace would likely wait for new RPM
> revisions to appear and become automatically downloaded and
> applied to their installation.
> 
> As for user identification, Oracle MOS has an example with
> individual user certificates issued for support contract
> holders, to access IPS repos over HTTPS. On one hand, these
> certificates automatically have an expiration date which
> forces one to continue buying support and automates the
> non-provision of commercial updates to unpaid users. On
> another hand this allows to track the usage - i.e. how
> many IP addresses downloaded a patch with certain user
> certificate, or even how many times it has been used for
> the same patch in a short timeframe (though... then what
> about updates of many local zones...)?

Except that you could use this to install a certificate on any number of
NAT'ed machines. A little bit of manipulation in the IPS libraries and
you can get all machines to look and smell like the same machine.
No, if you want to track usage without people cheating, you need to ship
closed policy enforcement code - that's why you'll never see an
open-source DRM. It just doesn't work, by definition.

> If you want to go Nazi about forcing people to buy support
> for each machine - there are simple ways to do it. They
> might be circumvented (i.e. use the user-cert on some LAN
> replicator of IPS packages), but this might not be worth it
> especially if support is kept relatively cheap and the users
> follow an honor system to have this OS alive at all.
> 
> The individual users might get the same patches via source
> (illumos-gate, etc. - subject to their ability to build this
> and receive the same resulting binaries which work like the
> QA'd releases) and/or by quarterly community releases, etc.
> 
> This way, the code needs not be closed, and there is an
> ability to fund the project (both branches) as well as gain
> free users and more common awareness. And compliance-bound
> users have someone to blame for security breaches ;)

I don't want to go through a billion hoops just to deploy
security-supported machines. Want to make a closed-model variant of OI?
Go ahead. But if this is the direction OI itself takes, I'm out (and I
gather I'm not the only one).

> Though, possibly, this is what undermined Sun - OpenSolaris
> SXCE which was way more functional than Solaris 10 and free
> to use at that ;)

Solaris 10 was free to use, with patches and all, although the source
was closed - that's the only advantage SXCE had over S10 (besides being
based on the S11 codebase).

Cheers,
--
Saso