Date: Fri, 13 Apr 2001 08:40:09 -0600 From: Wes Peters <wes@softweyr.com> To: Roger Marquis <marquis@roble.com> Cc: security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches Message-ID: <3AD70FC9.1628DB70@softweyr.com> References: <Pine.BSF.4.21.0104111214510.52823-100000@roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Roger Marquis wrote:
>
> Scott Johnson wrote:
> > There is a difference between security fixes and a 'more low-key and
> > conservative set of changes intended for our next mainstream release'.
>
> I think this is a point many posters are missing. Production
> systems administration has to be conservative. A good systems
> administrator would *NEVER* run cvsup or -STABLE on a revenue
> generating production server for example. Change deltas must be
> kept to a minimum to minimize the risk of downtime or application
> problems.
But below you seem to have an inordinate fondness for the Solaris patch
mechanism, which is the same thing, but in binary form. So what's the
difference? Just your lack of understanding?
The usual method of handling this in a production environment is to
have a "build box", where you cvsup and make world, then test your
production apps off-line on copies of your real database(s). Then, once
you've tested the build, you install it on your production machines as
operations allow.
It is also important to keep network services like DNS on separate boxes
from the rest of your production environment. Servers like this can
typically be rather small boxes, and you should have at least two of
them anyhow, so you can reload one with the new build, verify correct
function, then reload the other during off-peak demand.
None of this is rocket science, it's just good operational discipline.
I've even used my laptop in this role, as the build/test box for system
updates, until I bought a small SMP desktop so I could fully test SMP
operations with our multi-threaded application just to be sure.
So what part of this makes you nervous? Spending $500 on a build box?
> > I just want to add my voice as to how I use FreeBSD. Simply saying 'use
> > - -STABLE' to those of us running -RELEASE on production systems isn't
> > appropriate,
Of course it is, if you do it sensibly. You have to get critical security
and functionality updates somehow, and this is one of the best maintenance
systems I've encountered in 20 years of UNIX work.
> Agreed. It might be worthwhile to point out that Linux is gaining
> market share by leaps and bounds while FreeBSD's user base remains
> relatively stagnant for *exactly* this reason.
Bullshit. B U L L S H I T. The "market share" of Linux and FreeBSD are
unknown and unknowable, so whatever you think they are is probably just
as WRONG as what Linus and JKH think they are, and to lump this stupid-ass
misunderstanding of what -stable is as the sole reason Linux has more
users than FreeBSD is so far beyond naive to be an out-and-out lie. You,
sir, are a scoundrel.
> This is all IMHO. Perhaps I'm just spoiled by Solaris' patch
> process. Yet we have seen a significant increase in Sun purchases
> thanks to their Blade 100 and it's $1000 price (headless). The
> FreeBSD community has to make the choice: do you want to FreeBSD
> to be a great developer's OS and an also-ran production platform
> (Dag-Erling Smorgrav's "submit patches or shut up") or would it be
> better in the long term to shift some resources (like incremental
> security patches) in order to boost market share?
You apparently haven't tried benchmarking a Blade 100 vs. just about
anything running FreeBSD that costs $995. I agree the Blade 100 is
the best 64-bit RISC workstation you can buy for $995, but then again
it's the only RISC workstation you can buy for $995. I can build an
Athlon/FreeBSD system for $995 that will runs rings around the Blade
100, and have enough money left over for a good lunch.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD70FC9.1628DB70>