[Info-vax] Variable declarations, was: Re: improving EDT

Tue Nov 29 22:38:57 EST 2016

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of Arne Vajhøj via Info-vax
> Sent: 29-Nov-16 9:59 PM
> To: info-vax at rbnsn.com
> Cc: Arne Vajhøj <arne at vajhoej.dk>
> Subject: Re: [Info-vax] Variable declarations, was: Re:
improving
> EDT
> 
> On 11/29/2016 9:41 PM, Kerry Main wrote:
> >> Of Arne Vajhøj via Info-vax
> >> On 11/23/2016 10:58 AM, Kerry Main wrote:
> >>> Unfortunately, in the commodity OS world, due to the
> volume of
> >>> monthly security patches, many Operations shops have
> adopted a
> >> "patch-n-pray"
> >>> philosophy because there is no way the business will give
the
> OPS
> >>> folks the corresponding amount of time to re-test important
> >>> applications.
> >>
> >> By commodity OS do you mean OS where software is available
> for and
> >> security bugs get found and patched?
> >
> > Arne, with all due respect, as a developer, you look at the
huge
> > number of 20-30+ security issues found each and EVERY month
> on
> > commodity OS's as a good thing.
> 
> > I look at the huge number of 20-30 security issues found
every
> month
> > on commodity OS's as a nightmare for Operations support who
> have to
> > read release notes, determine which ones apply and which
> ones don’t
> > (let's not forget release notes are vague for a reason), work
> with App
> > groups to re-test important Apps in Dev/test/QA, do all of
the
> massive
> > paperwork for change mgmt., sitting through weekly CAB
> meetings (on
> > par with getting teeth pulled), configure the tools for
rolling
> out,
> > schedule downtime with the Business groups (kernel patches
> require
> > reboot regardless of physical/VM), do the roll-outs (usually
> after
> > midnight), fix any issues that crop up that were not caught
(if
> any
> > testing was even done).
> >
> > Say you have a small to medium env of 50-200 server OS's
> (physical/VM
> > makes no difference) - now review the last paragraph.
> >
> > Say you have a large environment like Citibank who has
> thousands of
> > commodity OS's worldwide - now review the last paragraph.
> 
> I think you are missing the point.
> 
> I don't think anyone is disagreeing that OS X with
> 10000 supported apps and 20 monthly security fixes is worse
than
> OS Y with 10000 supported apps and 1 monthly security fix.
> 
> But is that what we are comparing.
> 
> Or are we comparing OS X with 10000 supported apps and
> 20 monthly security fixes with OS Y with 100 supported apps of
> which only 10 get security fixes and 1 monthly security fix.
> 
> If you look at the actual list of security updates for
commodity OS
> then you will see that most of them does not relate to the OS
> core but to all sorts of applications including web browsers,
email
> clients etc..
> 
> Arne
> 

Not quite - the majority of security issues on commodity OS's are
not just the kernel/OS patches, but LP's/Add-on's etc that also
apply very much to servers. Even browsers are installed on
servers because for various reasons, like the SysAdmin being in
the computer room, some mgmt. tools are run from the server.

That is the huge issue we have today - Operations groups care
about servers - not desktop clients. Client/desktop support is a
totally different group from Operations Support. The
Desktop/Client support groups have an even tougher job, because
they need to review these lists and then determine which need to
be rolled out to thousands of desktop/laptop clients.

Sample - reference the Red Hat Security patch web site:
https://www.redhat.com/archives/enterprise-watch-list/
(click on thread for ANY month. Now imagine you are an Operations
resource who has to read through each of these patches and then
determine if it is needed on any of his/her 500+ server OS
instances.)

The scary part here is that by looking at this link, scrolling
down and looking at various months in previous years, the number
of security patches per month has NOT decreased over time as one
might reasonably expect. 

Btw - even scarier point is that many Linux SysAdmins are not
aware of this site. You can be sure the bad guys know about it.

Question - is 20-30+ security patches per month now considered
acceptable when the mandate is to build a rock solid solution?

Regards,

Kerry Main
Kerry dot main at starkgaming dot com