ramblings of a feline simian
CentOS
Why use CentOS over another linux distribution in a US for a commercial product?
To provide the highest level of security and integrity in a base OS, you should start with a distro that supports the SELinux Kernel out of the box. It has been my experience that while many distro’s provide SELinux as an opt-in option, the commitment by Red Hat to implementation of SELinux from the outset provides the highest level of integration and the lowest support overhead with tools such as the SETroubleShooter and well documented methods for identifying SELinux conflicts and resolving them. (EDIT: there are other products also available and are equally as good. AppArmor from Novell is very nice, as is Grsecurity. With ANY configuration or toolset, it’s important to be FAMILIAR with the security toolset. AppArmor is built into ubuntu and is very good. SELinux is built into CentOS and RedHat based distros and is also very good. At the original writing of this opinion piece, AppArmor was in its infancy and I was biased towards SELinux.)
It has been my experience and the experience of the commercial industry at large, that a best practice is to start with a linux distribution that is built under the by US laws regarding patents, trademarks, copyright, and export. The leading vendor in the US is one of two public companies, RedHat or Novel. It is my opinion that the support of SELinux by SUSE (Novel) is somewhat lackluster and in general lacks the ability to adequately cope with ongoing issue resolution and security updates when compared to the support base of RedHat.
The argument has been presented that other distributions also go to great lengths to take locality laws into account. Unfortunately due to the majority of major linux distros being maintained outside of the US, there is a perception problem and sometimes a problem with stated policy regarding locality trademark/patent laws. To begin with a non-US based distribution, opens your liability path to possible infringement. Not out of malice or intent, but purely because of connivence or misunderstanding.
For example, the stated policy of Ubuntu of inclusion of non-free works essentially implies a best effort between legality and ease of use.
“Ubuntu contains licensed and copyrighted works that are not application software. For example, the default Ubuntu installation includes documentation, images, sounds, video clips and firmware. The Ubuntu community will make decisions on the inclusion of these works on a case-by-case basis, ensuring that these works do not restrict our ability to make Ubuntu available free of charge, and that you can continue to redistribute Ubuntu.“
“All of the application software installed by default is free software. In addition, we install some hardware drivers that are available only in binary format, but such packages are clearly marked in the restricted component.“
While Ubuntu does make a best effort to provide a main (free) and restricted (non-free) library. Due to the “ease” and the potential for cross over, implementation of Ubuntu in a commercial environment will add the overhead of package license management. Essentially auditing your systems, and making proof positive that packages are compliant.
It is NOT an easy thing to provide both the best OS and a fully compliant one. With RHEL, you have the trust that a commercial and publicly traded company has taken great pains to protect their investment and capital by ensuring their compliance with their local laws. With that, you can hop on their coat tails so to speak.
Based on the above, my choice is clear, RedHat Enterprise. However, RedHat Enterprise is often too expensive for large scale installations if ongoing support is not required or redundant. In such cases the most often used distribution is CentOS, a linux distribution built on the RedHat Enterprise Source RPMs. While this does open us up to some potential issues with compliance, it is the stated policy of CentOS to only build from RedHat sources and to only provide packages from the RedHat repositories.