CentOS 6 as a proprietary firmware

[palacs]

CentOS 6 is really stable and well-maintained packages with lots of bug fixes and without additional features. So it will get more and more stable till the end of support, 2020.

Assume that I develop a product which I sell for money. Let it be a professional network router. I ship it with CentOS on it with my packages pre-installed. These packages are necessary for the router to maintain its functionality. These packages are not open-source and are not derivative works of any CentOS package. They just depend on base CentOS packages (like libc).

Can I do this for free?

I mean, do I have to pay for CentOS developers, maintainers, etc. because I embed their operating system into my product?

[stevemowbray]

In fact CentOS 6 is about to move into production phase 3, where only critical bugs will be addressed, so in effect it can't get any more stable and known bugs won't be fixed.

[stevemowbray]

As regards any licencing/legal questions you probably want to read this:

https://www.centos.org/legal/trademarks/

[palacs]

Thanks for mentioning but I have already checked the Known Issues section of CentOS 6.9 Release Notes and none of the issues will affect my goals.

From my perspective it is getting more stable since security flaws and critical bugs will still get fixed - if I get it right from the Product Specifications page.

During the Maintenance updates phase, only Security errata and select mission critical bug fixes will be released. There will be few, if any, Update Sets released upstream.

About the trademarks page, it is too legal (complicated) for me to interpret and apply it for my current situation.

[TrevorH]

But in Production Phase 3, only critical security bugs get fixed so it will get progressively less and less secure, even before it hits EOL in just under 3 years.

If you're developing something new, much better to choose CentOS 7 as that has been out for nearly 3 years (so all the teething bugs should have been worked out by now) and still has another 4 to go before it goes into PP3.

[palacs]

Why would it get less secure if security bugs get fixed?

[avij]

Why would it get less secure if security bugs get fixed?

Quoting https://access.redhat.com/support/polic ... on_3_Phase -- emphasis mine:

During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

This would mean that vulnerabilities ranked as Low, Moderate and Important will remain unfixed in Production 3 Phase.

Basing your development on CentOS 6 is not a good idea, especially if the product is supposed to be used for years to come. Move on to CentOS 7, as suggested earlier.

[TrevorH]

Why would it get less secure if security bugs get fixed?

The key wording is "ONLY critical vulnerabilities". That means that anything that's rated less than critical - i.e. important and less - are not fixed.

[palacs]

Could you show me some examples of unfixed non-critical vulnerabilities causing a security breach (e.g. from CentOS 5) or some real danger or loss?

Either a real occurrence in the past or just a package that you know having a wontfix, non-critical vulnerability.

[TrevorH]

I could but it would involve trawling through MBs of logs looking and I cannot be bothered. The problem exists and is a real one.