[Info-vax] New VSI Roadmap (yipee!)

[William Pechter]

In article <mcv5nh$ida$1 at panix2.panix.com>,
Scott Dorsey <kludge at panix.com> wrote:
>Simon Clubley  <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
>>On 2015-02-28, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>>> On 2015-02-28 15:57:39 +0000, Kerry Main said:
>>>
>>>> Now, if there had not been such a significant increase in the OS 
>>>> instances, the monthly security patches might have been more
>>>> manageable, but the culture of 1 or 2 bus apps per OS instance that
>>>> was established in the distributed days of commodity OS's (and 
>>>> significantly boosted by the likes of VMware) has resulted in the 
>>>> OPS groups throwing up their hands and have adopted 
>>>> patch-n-pray.
>>>
>>> Not having patches and not having updates concerns me as much ? if not 
>>> more ? than having patches to apply.  VMS just is not that secure.  
>>
>>Congratulations Hoff, you got it in one.
>>
>>About a year or two ago when Kerry was in full flow about his 10-40
>>patches a month, I did an analysis of the RHEL patches for a month
>>(and posted the results to comp.os.vms).
>>
>>What I found was that for many of the patches, they either covered
>>application level software issues which should have been investigated
>>for VMS as well (PHP, Java, etc) or involved functionality which
>>simply doesn't exist on VMS.
>>
>>For that month's worth of data, the number of core Linux issues with
>>comparable VMS core functionality were _way_ under that 10-40 patches
>>per month number Kerry likes to use.
>
>Right.  The problem is that we have organizations that are required to
>install all patches.  They may not have Apache installed, but by God
>there's an Apache patch for Red Hat and update has to be run today or
>heads will roll.
>
>This is a side-effect of managers coming from the Windows world where
>everything is one monolithic block, but sadly this is the case in a 
>large number of organizations and it's something we all have to deal with.
>--scott
>
>-- 
>"C'est un Nagra. C'est suisse, et tres, tres precis."

How do you install an apache patch for RHEL if RHEL isn't on the box in 
question?

The patch will fail to apply, right.  Then you have to explain the failure
in triplicate.

Actually the RedHat Network was slick about listing the patches applicable
to each machine based on rpms (software packages) in the inventory for that
server...

But as soon as you compile newer securer stuff you're responsible for all 
the patching.

(Just like when I worked on SysV and had to build everything from source in
'87).

One of the fun thing when you deviate from the vendor's stuff.  And Oracle
middleware used old ugly apache without support for logfiles over 2gb.
Debug something tough and have their web server crash because of the log file
size.

But we had to use their stuff over the newer RHEL version that was fixed 
or the Apache version that was even newer.

Many Linux/Unix app vendors don't keep the open source pieces up to date.

I preferred the ones that let you use your standard Apache to unknown
patched versions they hacked up.


Bill

-- 
-- 
Digital had it then.  Don't you wish you could buy it now!
pechter-at-gmail.com  http://xkcd.com/705/