I’m a current Rocky, Ubuntu (among others) user looking for some knowledgeable community input on the security differences of these 2 enterprise Linux distros. My use of both distros is for the enterprise so I’m not looking at this from any other perspective. As I work in a highly regulated industry security is priority 0.
Ubuntu now offers Ubuntu Pro which differs from its LTS release in that it patches critical vulnerabilities in main + universe repos for 10 full years. Problem is, this is not free and it is super expensive at $500/server/year. Of course it is available at the large cloud providers so you can pay as you go but those providers are only the large ones Amazon, Google and Microsoft. This is overpriced and it excludes those of us where care about competition and don’t buy from these cloud mammoths.
An addition sour tasted is… Canonical seems to violate the notion of a ‘community’ distro because patches delivered to the universe repositories will NOT flow back to the community. Not cool in my book. Long story short, those using LTS vs Ubuntu pro have a VERY different security experience. Sales people from Canonical and the community have clarified this and I’m still scratching my head. I know that these universe repos have always been community managed but it seems odd to not let that innovation flow back into the community.
Which leads me to my questions:
My post is not intended to start a religious war, so if you want that – Reddit is only a click away. If you would like to substantively clarify the security differences in these 2 distros – please do. I’m just trying to get a the critical security differences in these 2 enterprise Linux distros.
I can’t address all of your questions but I will say a few things. Rocky’s SIG/Security is really good which is why Rocky has met a lot of security standards. Things like the following link are a big deal for some:
That openlogic link isn’t quite correct but I don’t want to get into that. But the Rocky build system is really good and security patches are very quickly released after Upstream Vendor releases them to the community. This shouldn’t be a concern, in my opinion.
I work with and know a lot of people in industries and governments that use EL based distros because of these security standards. I also know a lot of them actually prefer the EL hardened kernel that infrequently gets updates (meaning, it doesn’t have as many security issues against it) vs Ubuntu which uses more bleeding-edge kernel and thus requires many more updates. Ubuntu releases new kernels almost bi-weekly (or quicker some weeks!) and a LOT of industries don’t like being forced to choose between security patches or weekly/bi-weekly maintenance reboots…
Both are fantastic distros. Both have places they are good and weak at. Both should be used as a right tool for the right job. I applaud you for trying to figure out which is the right tool for the job.
As I work in a highly regulated industry security is priority 0.
Can you list the security guidelines your industry requires? Because this may make the decision for you. Some have very specific security guidelines to meet. (and if Rocky doesn’t meet it, let the SIG/Security team know so that they can work on it! )
Hope that helps a little.
Thanks so much for adding some insights to my exploration.
I’m still unclear on the differences of the repositories in Rocky and what time frame it is to get critical vulnerabilities patched. In my case, I really only run LEMP and those core technologies at the moment.
My industries are healthcare and financial – so security, compliance and stability are critical.
Often those industries have specific security standards. Security Technical Implementation Guides (STIGs), or CIS, or Federal Information Processing Stanard (FIPS). If you have a specific target like that it’s easier to help identify Rocky’s status in meeting those goals.
As for critical vulnerabilities, Red Hat has an established track record of fixing them quickly and releasing them quickly. Since Rocky is a rebuild of Red Hat, expect within 24-48 hours (or less for most).
As for the different repositories, Rocky matches upstream except for the SIG (special interest group) repos which are provided by Rocky community. Rocky strives to be transparent and shares everything with the community - especially patches!! Not sure if I’m really answering the question but I hope that helps.