Security concerns in Ubuntu and CentOS

Bruno Polaco asked:

In my company we are dealing with an interesting decision: which Operating System should we choose as the default one? This does not mean that every installation will be based on the chosen Operating System, but using a different one will probably have to be justified

Features and other comparisons aside (I indeed read this post but it didnt help much), the main discussion is around overall security and how the developers of each one of the two Operating Systems deals with it.

This is as far as I know:

  • Ubuntu has LTS for 5 years and has actual Canonical employees working on compability and security updates.
  • CentOS is fully managed by the community, and security updates comes mainly from the Red Hat upstream.

And some considerations:

  • CentOS is forever in catch-up mode as security updates comes from RedHat. This alone creates a time gap
  • This post written on Feb/2011 got me worried, but I dont know if today (2 years later) the reality is the same. Quoting some of the article:

Normally, CentOS follows along with Red Hat security updates, releasing its versions as quickly as it can after the RHEL update is released. But 5.6 (or any “point” release of RHEL) comes with a whole slew of updated packages, any of which might have a security update—or be a dependency of a package updated for security reasons. Since there are no CentOS 5.6 packages (yet), these security updates fall into a crack in the CentOS development process. CentOS can either backport the fixes into the 5.5 package, or release an updated 5.6 package along with all of its dependencies, some of which may not have passed the QA process yet.

Except for those updates that Red Hat has marked as “critical”, CentOS has chosen to do neither of the above, according to lead developer Karanbir Singh. That may leave its users vulnerable to a number of potentially exploitable security holes. In email, Singh said that the CentOS team is looking at Red Hat’s security updates to fix those that are deemed “remotely-exploitable”, but that doesn’t seem to jibe with what is getting released for CentOS 5. Since the release of RHEL 5.6, there have been no CentOS 5 security updates.

Looks like that going with CentOS implies that at some point we (maybe) will need to buy a RHEL license

My natural choice would be going with Ubuntu over CentOS, but all I got on Ubuntu is the LTS argument and I dont know how much the LTS actually works. More opinions on that would be nice. Also, more opinions on the CentOS security nowadays would be nice too.

Also, doing some basic google search is quite common to see more Ubuntu results over CentOS, but we do know that ubuntu has a larger target audience because of the Desktop support, and this alone generates a lot of web content

So, which one do you think has a better development approach/capability for handling security updates?

My answer:

Either of these distributions will receive important security updates in a timely manner.

As for overall security I’ll have to give the edge to RHEL/CentOS, if only for shipping with reasonably secure defaults for all common services, as well as SELinux enabled and enforcing out of the box. All of the Debian and Ubuntu boxes I’ve had to manage have needed work to secure their services. Even so, this is pretty minor.

For the most part, I think this is a non-issue, and your choice of distribution really needs to be made on factors other than “security”.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.