From owner-freebsd-security Fri Apr 13 7:40:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id B481F37B443 for ; Fri, 13 Apr 2001 07:40:33 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=25fbc6e9a0fc7310c999d16d192eced7) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14o4k5-0000H5-00; Fri, 13 Apr 2001 08:40:09 -0600 Message-ID: <3AD70FC9.1628DB70@softweyr.com> Date: Fri, 13 Apr 2001 08:40:09 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > > Scott Johnson wrote: > > There is a difference between security fixes and a 'more low-key and > > conservative set of changes intended for our next mainstream release'. > > I think this is a point many posters are missing. Production > systems administration has to be conservative. A good systems > administrator would *NEVER* run cvsup or -STABLE on a revenue > generating production server for example. Change deltas must be > kept to a minimum to minimize the risk of downtime or application > problems. But below you seem to have an inordinate fondness for the Solaris patch mechanism, which is the same thing, but in binary form. So what's the difference? Just your lack of understanding? The usual method of handling this in a production environment is to have a "build box", where you cvsup and make world, then test your production apps off-line on copies of your real database(s). Then, once you've tested the build, you install it on your production machines as operations allow. It is also important to keep network services like DNS on separate boxes from the rest of your production environment. Servers like this can typically be rather small boxes, and you should have at least two of them anyhow, so you can reload one with the new build, verify correct function, then reload the other during off-peak demand. None of this is rocket science, it's just good operational discipline. I've even used my laptop in this role, as the build/test box for system updates, until I bought a small SMP desktop so I could fully test SMP operations with our multi-threaded application just to be sure. So what part of this makes you nervous? Spending $500 on a build box? > > I just want to add my voice as to how I use FreeBSD. Simply saying 'use > > - -STABLE' to those of us running -RELEASE on production systems isn't > > appropriate, Of course it is, if you do it sensibly. You have to get critical security and functionality updates somehow, and this is one of the best maintenance systems I've encountered in 20 years of UNIX work. > Agreed. It might be worthwhile to point out that Linux is gaining > market share by leaps and bounds while FreeBSD's user base remains > relatively stagnant for *exactly* this reason. Bullshit. B U L L S H I T. The "market share" of Linux and FreeBSD are unknown and unknowable, so whatever you think they are is probably just as WRONG as what Linus and JKH think they are, and to lump this stupid-ass misunderstanding of what -stable is as the sole reason Linux has more users than FreeBSD is so far beyond naive to be an out-and-out lie. You, sir, are a scoundrel. > This is all IMHO. Perhaps I'm just spoiled by Solaris' patch > process. Yet we have seen a significant increase in Sun purchases > thanks to their Blade 100 and it's $1000 price (headless). The > FreeBSD community has to make the choice: do you want to FreeBSD > to be a great developer's OS and an also-ran production platform > (Dag-Erling Smorgrav's "submit patches or shut up") or would it be > better in the long term to shift some resources (like incremental > security patches) in order to boost market share? You apparently haven't tried benchmarking a Blade 100 vs. just about anything running FreeBSD that costs $995. I agree the Blade 100 is the best 64-bit RISC workstation you can buy for $995, but then again it's the only RISC workstation you can buy for $995. I can build an Athlon/FreeBSD system for $995 that will runs rings around the Blade 100, and have enough money left over for a good lunch. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message