From owner-freebsd-security Fri Apr 13 8:42:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 1480437B42C for ; Fri, 13 Apr 2001 08:42:21 -0700 (PDT) (envelope-from marquis@roble.com) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f3DFgKX82364 for ; Fri, 13 Apr 2001 08:42:20 -0700 (PDT) Date: Fri, 13 Apr 2001 08:42:20 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Production systems administration has to be conservative. A good systems > > administrator would *NEVER* run cvsup or -STABLE on a revenue > > generating production server for example. Change deltas must be > > kept to a minimum to minimize the risk of downtime or application > > problems. > > But below you seem to have an inordinate fondness for the Solaris patch > mechanism, which is the same thing, but in binary form. So what's the > difference? Just your lack of understanding? What isn't incremental about Solaris patches? Even the patch clusters are broken down by individual patch. They're also released with lengthy readme files allowing an admin to pick and choose. The differences are substantial (to experienced admins at least). Another difference between Solaris and FreeBSD patches is the level of QA. Even among the FreeBSD security patches published in the last few months many (most?) have had incorrect path names. > The usual method of handling this in a production environment is to > have a "build box" This is a good practice if you're doing a FreeBSD cvsup or using -STABLE. It would be overkill on a Solaris system. > you've tested the build, you install it on your production machines as > operations allow. Nice that you have the time to go through all that trouble just to apply a minor patch. Most productions environments, in my experience, do not. When your systems are in various remote datacenters such a model would be entirely unworkable. You have to do this for major upgrades of course, but an OS shouldn't force you through this hoop more often that every 18 to 24 months. > Bullshit. B U L L S H I T. The "market share" of Linux and FreeBSD are > unknown and unknowable, so whatever you think they are is probably just > as WRONG as what Linus and JKH think they are Your agenda is showing Wes. The market share of production various systems is pretty obvious to those who spend any amount of time in Silicon Valley datacenters. > and to lump this stupid-ass > misunderstanding of what -stable is as the sole reason Linux has more > users than FreeBSD is so far beyond naive to be an out-and-out lie. You, > sir, are a scoundrel. I think people understand what -STABLE is, it's normally called beta. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message