Re: Is VMS losing the Financial Sector, also?

On 05/27/07 11:15, Main, Kerry wrote:
-----Original Message-----
From: Ron Johnson [mailto:ron.l.johnson@xxxxxxx]
Sent: May 27, 2007 11:47 AM
To: Info-VAX@xxxxxxxxxxxx
Subject: RE: Is VMS losing the Financial Sector, also?

On Mon, 21 May 2007 21:59:12 -0400, Main, Kerry wrote:
[snip]
The big question is whether Oracle will succeed in making Linux a
serious platform, acceptable to banks for serious applications.
mmm... with 5-20 security patches released each and every month?

[snip]

There were 72 *bug* fixes to RHAS4 between 01-DEC-2006 and 30-APR-
2007.
50 were against packages that would typically sit on a server, the
rest on
client s/w. Not all of those 50 will be installed at every site.

In that same span, there were 46 security patches:
LOW MODERATE IMPORTANT CRITICAL
--- -------- --------- --------
DESKTOP: 0 7 4 11
SERVER: 3 12 8 1

So, we see *one* critical server-related security patch in 6 months.
Not
bad, in my estimation.


Nice try, but the patches listed on the RH security web site are
*security* patches - not bug fixes (although they do bundle fixes with
their security fixes from what I can tell).

https://www.redhat.com/security/updates/
https://rhn.redhat.com/errata/rhel4as-errata.html

Click a button to filter by All, Security, Bug fixes, Enhancements.
Click another button to sort by date, severity, etc.

An actual tally for each month:
May 2007 - 34
April 2007 - 17
March 2007 - 19
February 2007 - 19
January 2007 - 13 (good month - *only* 13 security patches..)

Total = 102 *security* not "bug" patches.

And keep in mind that many (most?) of the security fixes they rate in
applications as low, moderate etc, can result in elevated security
priv's and/or the ability to access system protected data, so imho, that
is pretty critical.

Keep in mind that most Cust environments do not have just one version of
Linux. They have ES3, ES4, ES5 and various WS versions as well, then
that means the Operations folks need to track what apps are running on
what servers and then map out what security patches to apply to what
systems.

You don't seem to know very much about Linux package management.

If you are a good sysadmin and have only installed the packages
necessary for your application, then a single "yum update" command
on your test box downloads all the *relevant* patch packages and
installs them. When you are satisfied that the patches don't hose
your system and can schedule an app downtime, run "yum update" again.

Does this not sound like a lot of work?

(and this does not even discuss the re-cert and testing efforts of their
App's with these monthly security patches)

10 various feature bugs per month, and 5 various security bugs per
month.
When you consider that there are pushing 8000 (or more?) packages in
Red
Hat (and 10000 in Debian), that's just not too shabby.


Looks like a hackers dream world to me.

You sound jealous. Most people in this group would love for VMS to
have that many applications.

Since it is very difficult for the Operations to keep up with all these
security patches in all of their Dev / QA / Test / Prod environments,
corp folks either ignore the patches and hope no one attacks them
(remember internal users are biggest threat) or they arrange to set
aside time to test their business app's against the monthly security
patches which significantly reduces the resources available to do normal
Dev/ Test / QA testing for new App functionality requests.

Only if you install a kitchen sink install.

So, these systems go unpatched for extended periods and hackers
(external or internal) are left to do what they want since they know
exactly the vulnerabilities they can capitalize on.

--
Ron Johnson, Jr.
Jefferson LA USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!
.

Relevant Pages

  • Re: Is 4.3 security branch officially "out of commission"?
    ... >>> What is the official procedure when somebody not from the security ... as over the time number of patches will grow ... > already unsupported FreeBSD source tree could point his cvsup to your ... > server and get *all* backported fixes for his particular version. ...
    (FreeBSD-Security)
  • Re: BSD handbook - was Re: debiantutorials.org seeks input and new blood
    ... OBSD doesn't have security updates (patches) ... for their packages; they only provide patches for the base release. ... team with OpenBSD's compiler, with good responsivness). ...
    (Debian-User)
  • Re: Security Announcements
    ... > I just want to add my voice as to how I use FreeBSD. ... These security issues are not so frequent that providing ... > patches for -RELEASE should be too burdensome. ... branch will be that it simply carries security fixes, ...
    (FreeBSD-Security)
  • Re: BIND 9.5.0-P2 for Ubuntu?
    ... I'm still running Feisty, which is 9.3.4, and although it's patched and ... Since this is a security upgrade I thought there might be an Ubuntu ... This includes new release of packages already there. ... However, security patches are routinely applied, thus you could look to ...
    (Ubuntu)
  • Re: Is 4.3 security branch officially "out of commission"?
    ... >>> lifetimes of the security branches are not long, ... as over the time number of patches will grow ... already unsupported FreeBSD source tree could point his cvsup to your ... server and get *all* backported fixes for his particular version. ...
    (FreeBSD-Security)