Edit: it's CentOS 7 (original: CentOS 3 on a self checkout?!?)
Am I crazy in thinking that the shop I was in that has CentOS 3 running their self checkouts should have a more up to date and currently supported OS? These are brand new self checkouts (the shop has had them for about a year now, but you get my point.)
It’s a genuine question. Am I wrong in thinking that using this OS on a self checkout is a terrible idea? (FWIW this shop is an international retailer)
I have no stake in the shop or anything. I just happened to be there when they had to reboot a self checkout and I noticed the OS version as I was going by.
It's likely CentOS 7.9, which was released in Nov. 2020 and shipped with kernel version 3.10.0-1160. It's not completely ridiculous for a one year old POS systems to have a four year old OS. Design for those systems probably started a few years ago, when CentOS 7.9 was relatively recent. For an embedded system the bias would have been toward an established and mature OS, and CentOS 8.x was likely considered "too new" at the time they were speccing these systems. Remotely upgrading between major releases would not be advisable in an embedded system. The RHEL/CentOS in-place upgrade story is... not great. There was zero support for in-place upgrade until RHEL/CentOS 7, and it's still considered "at your own risk" (source).
For many, CentOS7 is the last version of it because CentOS8 is now something different—they swapped it from being downstream from RHEL to essentially being the RHEL beta branch
What is the risk if it's all on a closed internal network? You can safely run Windows 98 as long as you're very careful about what goes in and out at your gateway.
Commerical networks tend to be a bit more robust than Joe Schmoe's basement router. It's a giant pain to keep up with each and every update on everything a store uses (not just self checkouts, things like CCTV systems, HVAC monitoring, electronic signage like smart screens, etc.) so usually it's all controlled at the network level.
I install CCTV, I guarantee you more than three quarters of the DVRs and PoE cameras I install never get updated and are "set and forget". I've pulled out 10-15 year old cameras still with original firmware in giant national chain stores when they do refreshes of their infrastructure.
I'm sure it's not directly connected with an externally accessible IP. It's either communicating with a backoffice server, or on a secure VPN tunnel to the rest of the corporate network.
It does not, a few Cisco appliances in our company run / ran cent and AFAIK the infra teams all had to migrate to alma and move everything over with some script from Cisco.