Cuddle is the term Sun insiders give their Common Development Distribution License. When we (and others) wrote about the work Red Hat, IBM and Trusted Computing are doing on certifying a secure Linux, earlier this week, Sun-ster Mark Thacker was told to cuddle the press.
Thus I found myself today in a verbal bear hug, the gist of which was:
- Solaris 10 is open source through Open Solaris.
- Solaris 10 has already begun the testing the other guys are just talking about.
- Most of that testing will be done by next spring.
Thacker also explained, at length, what we're talking about here.
What is at issue is the Common Criteria standards, international standards for security which are certified by third parties. Sun's Solaris 8 has already gone through all these tests. Its Controlled Access Protector Protocol (CAPP) is certified. Its Role Based Control Protector Protocol (RBCPP) is certified. Even its Labeled Security Protector Protocol (LSPP) is certified.
What this means, in practice, is that an agency like the Department of Homeland Security can run Solaris 8 secure in the knowledge that workers without security clearances can't even know that their systems contain classified data, while all levels of classification are secure from the top down. And the process of making Open Solaris equally secure is well underway.
A Canadian lab has begun testing the CAPP and RBCPP protections in Solaris 10, and that should be done in the second quarter. The LSPP protections will be in an add-in to Solaris 10, called Trusted Extensions, which is due for release next spring. Thacker said Sun has not yet decided to make Trusted Extensions open source.
This is not an easy process to work through, Thacker emphasized. "This is their first time through" he said of the Red Hat group. "I wish them the best of luck. It can take 15 months. It takes a while." You have to define modules, define tests, and let someone else do the tests. "Free Solaris 10 is already in evaluation. And I have something that’s gone through all three" types of evaluation. "There’s no Linux that is at that certification level."
The short version? If you can cuddle up to CDDL you can have secure open source, right now.