vulnerability of Linux

John Summerfied debian at herakles.homelinux.org
Tue Nov 29 05:48:54 UTC 2005 

Steffen Kluge wrote:
> On Sat, 2005-11-26 at 07:47 +0800, John Summerfied wrote:
> 
>>That is plain stupidity. It is worse than securing your system sensibly 
>>and applying _no_ updates.
> 
> 
> Applying security fixes as they are released is part of securing a
> system sensibly.

Look at what they fix; not all security updates, even when they hit 
packages on one of my systems, matter.



> 
>>If you blindly apply updates as they appear, you will get a broken 
>>system, nothing surer.
> 
> 
> Doing anything blindly is not a good approach. However, I have yet to
> break a system by following this rule:
> 
>       * On servers, which have a minimal set of packages installed (my
>         servers are usually single-trick ponies), I run automatic
>         updates.
>       * On workstations (with loads of multimedia, end-user, and whatnot
>         applications) I run yum daily to check for updates and then
>         apply them manually after assessing the risk that mplayer might
>         stop working, or something.

However, your chances of breaking a system are quite good.

FC5 beta 1 installed a kernel on my laptop that does not boot. While 
this is a beta and all bets are off, it's perfectly possible that the 
same thing could happen in released versions of Fedora Core. Fedora Core 
3 has had several new upsream kernel releases, and KDE has been upgraded 
from 3.3 to 3.4.

3.4 reliably SYSSEGVs on me on two platforms; I've probably not 
exercised the right circumstances on FC to find whether we have the 
problem too.



> That said, I wish the yum metadata would contain information pointing
> out security related updates. One could then go and just apply security
> fixes and their dependencies.
> 
> 
>>If you run yum daily to keep the system up2date and something breaks, 
>>you will have no idea whether something changed, what changed or when. 
> 
> 
> Not true, /var/log/yum.log.

It is very hard to read that when your system won't boot. That aside, 
users' most likely reaction when something breaks and they're asked, 
"What changed?" is, "I didn't change anything."

Even mailing the log won't happen if it's your mail server that's down.


-- 

Cheers
John

-- spambait
1aaaaaaa at computerdatasafe.com.au  Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list

More information about the users mailing list