I thought I'd start this thread here.

We are planning to deploy an open source based network in our business. It is a business that is regulated by the FDA and so we have to adhere to 21 CFR Part 11.

There has been some internal debate regarding the best managed distribution to use for servers and workstations. At first blush, RHEL v3 would appear to be under the greatest degree of control (i.e., infrequent updates, long release cycles, well documented change management). When I mentioned this to one of my associates he said that, hands down, Debian fits this description better. Well, if that is indeed the case, I say to myself, why bother with the cost and licensing fees imposed by RH and just go with Debian.

Has anyone had experience in implementing open source software in such a regulated environment? By this I mean has an implementation that has proceeded along life cycle models (validation that is achieved through a systematic IQ/OQ/PQ, requirements and design specifications, traceability matrix, etc).

Your OS is limited by your hardware(driver) and application(supported) requirements. If you have no drivers for your hardware that are RHEL exclusive and no applications(database?) that is RHEL exclusive, then you can use a stable branch of any distro you wish.

If you want to has near infinite support on a free version of RHEL, then give http://whiteboxlinux.net/news.php or http://www.centos.org/ a looking at.

If you just want stable without needing anything redhat specific then Debian or Gentoo a try. Gento does compile time hardware optimizations on install, and debian has great stability and a large user base.

If I were in your position, and had some expertise on site then I would probably do whiteboxlinux. If I wanted to spend some money for faster updates, then I would do Centos. If my hardware and software was OS agnostic, then I would probably do Debian if I was lazy- Gentoo if I had time/wasn't.

That's my opinion on the matter. And I don't know what that FDA thing is, but if that's referring to security- then a Security Enhanced Linux module would more than cover that. It's part of the kernel now as well. Anyhow, good luck.

It depends on what the regulations dictate. If you need some assured level of security, than you need a distro that is Common Criteria certified. I believe so far only SuSE and Debian (?) have Common Criteria.

If you need assured audit trails, then look for a distribution that has manditory audit logs (I'm not sure that any Open Source OS has this?).

If you need some type of separation of privileges, then you need a distro with Security Enhanced Linux applied. If you need Manditory Access Controls, again I believe SEL has this.

Thanks for the responses.

The FDA issue is somewhat complex but I can summarize the elements here:

1. Distribution has a well defined composition and is not subject to continual change. In the FDA world (read: pharmaceutical R&D for now) all change must be mapped. For example, to install a new version of Perl would require the approval through procedural channels (called Change Control). These procedural channels would make an assessment as to the degree of risk associated with the change. You can imagine that if life/death decisions (e.g., calculating an experimental dose of a new drug) are being made on the basis of a computational result that one would want to be sure that a change did not adversely influence the integrity of those results.

2. Distribution is secure in the sense that only approved changes can be made and that normal users are limited in their ability to make unapproved changes to their systems (I presume that normal Linux permission models would address this concern). Network security is another matter and is assumed to be in a state of control.

3. Related to number 1, the distro is widely used and accepted by the professional community and has a well managed central point of package control. For example, one could purchase RHEL v3 and use the RH service to manage changes across systems. SuSE has a similar service. Does Debian have anything similar? I'm talking about more than package installations here. It's more to do with one point of distribution for those pre-approved packages.

There are many other elements that I have not mentioned here.

I am not trying to make a case for RHELv3 or SuSE. It would be preferred to go with a distro that does not have the high licensing fees.

It would seem to me Debian "Stable" meets your criteria at zero-cost for licensing. Apt-get is properly restricted to root and sources-list can be edited to point to an archive under your control, where you can extensively test every upgrade (mostly security upgrades in "stable" anyway) before making it available to admins.

I would focus on Red Hat and SuSE. Debian, while stable, does not have a sufficiently restricted contribution mechanism as demonstrated by their breach of security last year. Also, both SuSE and Red Hat meet the requirement for being widely used in the industry as they are by far the two most installed distributions in Fortune 1000 environments.

Another thing to consider is whether you're going to need to run 3rd party software on this platform, such as SAP, Oracle, etc... Working in a software company myself I can tell you that ISVs are only really looking at Red Hat and SuSE as supported platforms. Since there's no such thing as "Linux support" because of the wide variations in how the distributions are architected, ISVs cannot afford to support 10 different Linux distributions and instead focus on the most commonly deployed (otherwise it's the same problem as supporting "UNIX", where you have to do ports to AIX, Irix, HP-UX, Solaris, etc).

All in all, I agree with Chort's recommendation to focus on RedHat or SuSE in this instance.

However, if Jeffmrg's stated desire to avoid license cost is accorded signficant weight in the decision making process, then I would recommend Debian Stable over all other freely available distributions (including my personal favorite, Slackware), provided Jeffmrg's firm is prepared to provide an in-house archive for "apt-get" (and is prepared to test every update prior to general deployment), and; provided any third party apps can be supported.

Otherwise, the best course is to cough up the dough for RedHat or SuSE.

Thanks, everyone, for offering your insight. It has come down to RH/SuSE or stable Debian. Given the time (time=-cost) it would take to manage packages even with Debian, the RH/SuSE options appear to offer the best solution.

J

Jeffmrg,

I'm familiar w/ the multiple requiremnets of FDA registrations and the CFR regulations.

Have you found a solution to your requirements? My business partner is in EuroLand and we want to do FDA, ISO and CE Mark.

Adler

Hi everybody. Here's another take on this regulated thing.

An important feature of Linux is that you DONT HAVE TO keep updating. This compliance with change management thing is purely to guard against uncontrolled changes forcing a business critical (in your case could be life critical) stoppage in a critical area.

Si inherently you are safer than say a W98 user whose OS is going to be phased out by the vendor.

End

AnanthaP,

Thanks for your reply. Do you have any open - source examples of app packages out there? I went through the ISO process and our consultant was just shoving forms over to us and then was inputting our information into his set-up, printing them and passing it back to us for signature. The whole episode has me know looking at the back-end of things if you know what I mean.

Sounds to me like Slackware Stable would be perfect for your needs, aside from a bit of a learning curve, Slackware is everything you mentioned there. Before Any Changes take place, Patrick Volkerding Verifies its worth an upgrade (bugfix/security only in slackware stable), Compiles it, Packages it, Tests it and Distributes it.

If i'm off on this someone please correct me .

predator.hawk,

I've been warned away from the complexities of the SlackWare installation. I went up the learning curve over the past year with several distros - Knoppix, Mandrake, etc and settled on SuSE Pro. I've had to grab a few other things out there to be totally MS free, but now am settled very comfortable in the Linux Universe.

You have a URL for your reference? BTW, thanks for the reply.

I would also recommend RHEL 3... Aside from the High end servers, if a majority of these are going to be run as workstations... you can purchase RHEL WS 3 under the false title of Red Hat Professional Workstation at retail stores such as Best Buy and CompUSA... The discs inside are labeled ad RHEL WS 3.. and the cost is $70/box

This initial cost provides you with a full year of updates/bug fixes.. and after that it's just an additional $69 /year to renew..
This seems like it may be a viable option for your business...

I dont think many people realize that RHPW is the exact same thing as RHEL WS 3...