Redhat MRG versus Apache Qpid - differences?

[Fraser Adams <fr...@blueyonder.co.uk>]

I'm seeking some objective guidance about the differences between RedHat 
MRG and Apache Qpid Open Source.

There has been some discussion in my organisation about whether we 
should go down the MRG route and I'm interested in the perspectives of 
others.


One of the biggest concerns that seems to be being flagged is the 
potential for security vulnerabilities and the responsiveness of an Open 
Source versus commercial product with respect to patching identified 
vulnerabilities. I'm also interested in whether there are any 
significant performance differences.

Is there a difference between MRG and Qpid in this count?

My understanding was that there's a pretty tight synergy between MRG and 
Qpid and that patches make it back and forth in quick succession. It was 
also my understanding that RedHat was a key sponsor and RedHat was also 
part of the Open Source community - I've noticed a few RedHat email 
addresses on this Mailing list.


I'd really appreciate an unbiased comparison. If going MRG means my 
organisation funding the Open Source community in a round about way 
perhaps I ought to be encouraging it, but conversely I don't want to see 
uninformed bad mouthing of the strategy for managing vulnerabilities in 
Open Source projects propagating in my organisation. So if MRG is no 
more secure than Qpid I'd like to make that clear and to have a decision 
on MRG versus Qpid decided on merit rather than assumption.

Many thanks,
Frase




---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: Redhat MRG versus Apache Qpid - differences?

[Carl Trieloff <cc...@redhat.com>]

I'll put my other hat on and provide a few comments.


On 09/21/2011 01:49 PM, Fraser Adams wrote:
>
> I'm seeking some objective guidance about the differences between
> RedHat MRG and Apache Qpid Open Source.
>
> There has been some discussion in my organisation about whether we
> should go down the MRG route and I'm interested in the perspectives of
> others.
>
>
> One of the biggest concerns that seems to be being flagged is the
> potential for security vulnerabilities and the responsiveness of an
> Open Source versus commercial product with respect to patching
> identified vulnerabilities. I'm also interested in whether there are
> any significant performance differences.
>
> Is there a difference between MRG and Qpid in this count?


depends.  MRG is built the same way we build RHEL for example. This
means an upstream version is taken from Qpid and all the other source
trees used, then this is tested, hardware certified etc, and any issues
found are fixed and patched. Yes we push these back upstream, but we
don't pull work in progress onto the stable distro. We then support this
version and port any fixes from upstream for customers to the version
and support it for 5-7 years.  At some point we will re-base and repeat
the process.

So MRG you get this stable patch stream of bugs, minior RFE's security
etc etc.


>
> My understanding was that there's a pretty tight synergy between MRG
> and Qpid and that patches make it back and forth in quick succession. 

yes, patches are pushed back to Qpid, but they go in with any other work
going on. Where Red Hat with MRG maintains a stable tree and the only
patches in items based on a QA,compat,etc  much like the RHEL process.


> It was also my understanding that RedHat was a key sponsor and RedHat
> was also part of the Open Source community - I've noticed a few RedHat
> email addresses on this Mailing list.

yip, I for one am one such individual :-)

>
>
> I'd really appreciate an unbiased comparison. If going MRG means my
> organisation funding the Open Source community in a round about way
> perhaps I ought to be encouraging it, but conversely I don't want to
> see uninformed bad mouthing of the strategy for managing
> vulnerabilities in Open Source projects propagating in my
> organisation. So if MRG is no more secure than Qpid I'd like to make
> that clear and to have a decision on MRG versus Qpid decided on merit
> rather than assumption.
>


I would not hang an argument of security as a difference. rather the
application to version that has enterprise lifecycle managed for you,
the ability to get hot fixes, support etc for MRG.

Now putting my Qpid hat on, If you use qpid, that is great, we would
love to have you as a Qpid user, one way or the other

Carl.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org