Why? What compliance reasons make Ubuntu LTS work and RHEL not work?

cyberpunk · on June 26, 2023

Stupid auditors/pentesters really. Explained a bit in another comment, but essentially we had to explain the concept of backporting cve fixes to the same 'version' of random libs to the auditors and to get certified we would have to demonstrate, with actual source, that each of ~200 or so cve's were fixed in various system parts (individually).

In the end, we just went with ubuntu for those nodes, and they all passed the certification. Shrug.

Since then, we don't even need the OS to be certified, since we are using confidential computing, and we stuck with ubuntu for our k8s nodes etc -- but we are forbidden from using rhel anywhere by our legal / compliance people now.

mshook · on June 26, 2023

The issue here is with your auditors. I mean if RH tells you a CVE has been fixed with a backport, sure you can challenge that fact but at the same time and with the same standards, it'd mean your auditor would also have to check the actual source of your patched Ubuntu packages to make sure the new versions fixed the security bugs.

The bottom line really is plenty of auditors I've seen don't know how to check for vulnerabilities other than by checking a version... That's it.. Their tools or reporting only know package must have a version greater than x.y.z.