[nSLUG] Finding linux products and software

Bill Davidson billdavidson at eastlink.ca
Fri Apr 13 14:58:45 ADT 2007


Hi:
On Fri, 2007-04-13 at 09:37 -0300, D G Teed wrote:
> When I ran 5.1 on a test desktop, the kernel would be updated every 2
> weeks
> or so, and there were always dozens of updates per week.  That sort
> of thing is unacceptable in a production server environment.

I've never run any version of Ubuntu, so you'll have to forgive my
ignorance, but does it not allow you to decide whether or not to install
available updates?  Are the updates not described so you can decide
whether a given update fixes an important security vulnerability in a
program you use, or is just a feature-adding minor version bump in some
package you seldom use?

The standard linux kernels (at kernel.org) seldom update within 2 weeks,
so I'm curious why that version of that distro would have kernel updates
that often.  Of course, there have been brief periods when the official
kernel sources updated frequently (eg., 2.4.33 to 2.4.33.1, 8 days;
2.4.33.1 to 2.4.33.2, 3 days; 2.4.33.2 to 2.4.33.3, 9 days), and one may
ask why the kernel developers felt it was necessary to issue that many
sub-minor patches that quickly -- often it was because the previous
release had either a security vulnerability or a reliability issue which
would most likely affect servers.  For example, from ChangeLog-2.4.33.4:

        EXT2: avoid crashing by not dividing by zero.
        knfsd: Fix race that can disable NFS server.
        i386: fix overflow in vmap on an x86 system which has more than 4GB memory.

Or from ChangeLog-2.4.33.2:

        [SCTP] Local privilege elevation - CVE-2006-3745

That last one was an important security fix, but not important if you
don't use SCTP.  So you may well question why kernel patches come out
that frequently, but it seems inappropriate to criticize the maintainers
of a given distro for pushing those patches downstream.

I have maintained systems in enterprise environments and I know how
difficult updates can be.  People assume it is your fault if they are
inconvenienced for even a minute, and if it happens a couple of times in
a week people start grumbling.  But if a server crashes or is
compromised because you didn't install available patches, then it really
hits the fan and people start to question your competence.  Plus you get
no sympathy from other sysadmins ("Dude, you know that vulnerability was
fixed like two weeks ago!").

For that matter, I can recall times when Debian "stable" systems would
want multiple updates almost daily, and almost all of those were
security updates.  Of course, they generally weren't kernel updates and
so did not require a reboot, but they might interrupt some service
momentarily.

I guess my point is that while I can't really question your conclusions
since I never shared your experience, I think your suggestion that
frequent updates are, in themselves, "unacceptable" is oversimplified.
In fact, you could make the case that failing to keep production servers
patched in a timely manner is unacceptable. 



-- 
Bill Davidson <billdavidson at eastlink.ca>

!DSPAM:461fc4d7132651910792362!




More information about the nSLUG mailing list