It's Patch Tuesday...Again...

Overnight I received an email from a friend, forwarding me an article from Redmond Magazine. The topic of the magazine was the huge Patch Tuesday dump that our friends in Redmond have sent down. There was also some discussion about the patch bundles dropped by Adobe and Oracle as well. In the words of the author of the article It's a heavy burden for just this month. The email, though was what I wanted to highlight. My friend said to me:

Here's a good ad for Linux! ("Ya load 16 patches and whaddayaget? Another day older and deeper in debt. Saint Peter dontcha take me 'cause I can't goooooo; I owe my soul to the Microsoft stooooore" - with apologies to Tennessee Ernie Ford).

I am sure there are a number of Linux people that are waking up and pointing at their Windows using friends and saying I told you so, but I can assure you, most of those people are not professional Linux administrators. In fact, most of us that use Linux for a living would say not so fast.... Over the past two weeks I have had a number of things patched on my Fedora 13 system. I say things because I really was not paying attention to exactly what was being patched, pretty much the same way I do not not really pay much attention to what Microsoft (or Oracle or Adobe) are patching this week. Now you might argue that I not only should be paying attention, but that I inspect each and every patch before I apply it for relevancy and value. Yea, OK. Show of hands, who has time for that? Yes, there are some of you out there that not only do test each and every patch, but know exactly the impact it is going to have on your systems. Further, you also know that if one of your systems is down for even a second, the amount of money lost is more than enough to pay for the test and development systems needed to test patches when they come out. But most of us just take it on faith. We have to. Linux continues to be one of the safest operating systems on the market today. This is because of the model of access (least privilege) and the intense scrutiny of the code. But even with an average of one bug per 1000 lines of code, even we have patches, security issues and exploits that we have to be ever vigilant of. It is easy for us to point our fingers and laugh, but we should not become complacent.

______________________

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

song quotation

Patrick Dirickx's picture

your friend should apologize to Merle Travis, he's the songwriter !

A couple of fallacies

Cliff's picture

"Linux continues to be one of the safest operating systems on the market today. This is because of the model of access (least privilege) and the intense scrutiny of the code".

The 'model of access' is chunky as a bunch of bricks and leads inevitably to more access being given that is necessary. ACLs are the way to go, but who uses them? In my experience not many admins know that they exist.

As for 'intense scrutiny', I think that just because the source is open it doesn't mean that people read it. Who's got the time or inclination? I'd suspect that source code, especially driver source code, is only read by a few interested people.

Linux is probably the safest operating system mainly because it is not the big bad ogre of Microsoft and because it is a distributed target - when someone writes attack code they are trying to outwit the writer of the original code, Microsoft, without access to the code. It's no fun if someone gives you the answers to the puzzle before you even started.

Cheers,

Cliff

ACLs can just as quickly

turn_self_off's picture

ACLs can just as quickly devolve into giving to much access.

Well, there's patching, and then there's patching

antIP's picture

I update my Linux boxes everyday. Windows receives updates once a month. How many exploits is Microsoft purposefully hiding from the public? There's patching, and then there's patching. I'd rather get patched by Linux than Microsoft...any day of the week, literally.

Agree

Anonymous's picture

Last time I went to update Ubuntu there was like 100 updates in one month

No.. They were not all for the operating system or kernel.. But to the average user it's like - 'This OS has a bunch of patches.'

I am a Windows system admin right now and I always have to point out to folks that Linux has just as many patches if not more.

Good Point

Tim's picture

There is one thing worse than sending down a slew of patches, and that would be to not provide the fixes at all. I use and support free and open source software. However, I could never understand why liking one thing should lead to hating another.

Two things are worse: not

fest3er8's picture

Two things are worse: not providing updates and providing updates in such a way that you cannot determine what the patch affects. The LWN RSS feed gives me a nice heads-up as to what is being fixed in Debian. And aptitude shows me what will be updated, letting me choose which to update now, and which to leave for later.

Pointless

Anonymous's picture

Waste of electrons.

RE: Pointless

Joe Flynn's picture

Save the electrons!

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix