CNET News Article

Bill Rugolsky Jr. brugolsky at telemetry-investments.com
Wed Oct 22 17:47:18 UTC 2003 

On Wed, Oct 22, 2003 at 10:17:29AM -0700, Jeff Lasman wrote:
> You make some great points, Bill.  But as a small business man I can't 
> take the time update or to back out updates daily.  Or even weekly, or 
> monthly, or quarterly, or annually.  I need a server platform I can 
> leave (with only security updates) for at least four years.

I never meant to suggest that production machines should be upgraded
willy-nilly.  Of course not.  Rather, I was countering the idea that
FC1 Test was somehow wildly unstable.

As to security updates for four years, I understand your reluctance to
use RHEL because of price sensitivity.  But Red Hat suffers from price
sensitivity too -- they need to pay people to backport and QA patches.
That involves personnel, equipment, and cycles.  Hardware compatibility
evolves, and so it is necessary to keep around hardware that was in the
HCL for that release.  (E.g., 440GX mobos, sold in large quantities by
VA Linux and others, have broken APIC behavior.)  It may be that others
can provide this service for less money.  This issue has been rehashed
repeatedly on this list.

I'd suggest that if $100K/yr to hire someone to do maintenance on your
systems, including patching and backporting, is too high, then hosting
providers like yourself need to pool your resources to hire folks to do
the work or divide it amongst yourselves.  The Fedora Project is a natural
rendezvous point, and one would assume that with a bit of coordination,
the task of keeping the major server applications secure could be
divided among a relatively small group, with individuals with expertise
in a particular app, say Apache or MySQL, taking on maintenance of that
package.

Patching is occasionally difficult, but the vast majority of security
fixes are simple backports.  The greatest difficulties are when (1)
the upstream app is no longer vulnerable, due to extensive changes,
hence there is nothing to backport, and (2) kernel patching, due to the
heavily patched kernels in common use.  One of the goals of Fedora core
is to keep the kernel closer to mainline, and that may help.

Security-related backported patches also tend to show up in Debian stable,
so it is often possible to patch an app about which one has little clue.

If you (or your customers) want *guarantees* regarding security updates,
it is going to cost you money; there is no simple way around that.

Regards,

	Bill Rugolsky

More information about the users mailing list