HomeBlogsDavid Lane's blog

It's Patch Tuesday...Again...

Oct 13, 2010  By David Lane
 in
patch

Overnight I received an email from a friend, forwarding me an article from Redmond Magazine. The topic of the magazine was the huge Patch Tuesday dump that our friends in Redmond have sent down. There was also some discussion about the patch bundles dropped by Adobe and Oracle as well. In the words of the author of the article It's a heavy burden for just this month. The email, though was what I wanted to highlight. My friend said to me:

Here's a good ad for Linux! ("Ya load 16 patches and whaddayaget? Another day older and deeper in debt. Saint Peter dontcha take me 'cause I can't goooooo; I owe my soul to the Microsoft stooooore" - with apologies to Tennessee Ernie Ford).

I am sure there are a number of Linux people that are waking up and pointing at their Windows using friends and saying I told you so, but I can assure you, most of those people are not professional Linux administrators. In fact, most of us that use Linux for a living would say not so fast.... Over the past two weeks I have had a number of things patched on my Fedora 13 system. I say things because I really was not paying attention to exactly what was being patched, pretty much the same way I do not not really pay much attention to what Microsoft (or Oracle or Adobe) are patching this week. Now you might argue that I not only should be paying attention, but that I inspect each and every patch before I apply it for relevancy and value. Yea, OK. Show of hands, who has time for that? Yes, there are some of you out there that not only do test each and every patch, but know exactly the impact it is going to have on your systems. Further, you also know that if one of your systems is down for even a second, the amount of money lost is more than enough to pay for the test and development systems needed to test patches when they come out. But most of us just take it on faith. We have to. Linux continues to be one of the safest operating systems on the market today. This is because of the model of access (least privilege) and the intense scrutiny of the code. But even with an average of one bug per 1000 lines of code, even we have patches, security issues and exploits that we have to be ever vigilant of. It is easy for us to point our fingers and laugh, but we should not become complacent.

______________________

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

song quotation

Patrick Dirickx's picture
Submitted by Patrick Dirickx (not verified) on Fri, 10/22/2010 - 02:10.

your friend should apologize to Merle Travis, he's the songwriter !

A couple of fallacies

Cliff's picture
Submitted by Cliff (not verified) on Thu, 10/14/2010 - 05:20.

"Linux continues to be one of the safest operating systems on the market today. This is because of the model of access (least privilege) and the intense scrutiny of the code".

The 'model of access' is chunky as a bunch of bricks and leads inevitably to more access being given that is necessary. ACLs are the way to go, but who uses them? In my experience not many admins know that they exist.

As for 'intense scrutiny', I think that just because the source is open it doesn't mean that people read it. Who's got the time or inclination? I'd suspect that source code, especially driver source code, is only read by a few interested people.

Linux is probably the safest operating system mainly because it is not the big bad ogre of Microsoft and because it is a distributed target - when someone writes attack code they are trying to outwit the writer of the original code, Microsoft, without access to the code. It's no fun if someone gives you the answers to the puzzle before you even started.

Cheers,

Cliff

ACLs can just as quickly

turn_self_off's picture
Submitted by turn_self_off (not verified) on Fri, 10/15/2010 - 11:48.

ACLs can just as quickly devolve into giving to much access.

Well, there's patching, and then there's patching

antIP's picture
Submitted by antIP (not verified) on Wed, 10/13/2010 - 23:33.

I update my Linux boxes everyday. Windows receives updates once a month. How many exploits is Microsoft purposefully hiding from the public? There's patching, and then there's patching. I'd rather get patched by Linux than Microsoft...any day of the week, literally.

Agree

Anonymous's picture
Submitted by Anonymous (not verified) on Wed, 10/13/2010 - 15:26.

Last time I went to update Ubuntu there was like 100 updates in one month

No.. They were not all for the operating system or kernel.. But to the average user it's like - 'This OS has a bunch of patches.'

I am a Windows system admin right now and I always have to point out to folks that Linux has just as many patches if not more.

Good Point

Tim's picture
Submitted by Tim (not verified) on Wed, 10/13/2010 - 12:44.

There is one thing worse than sending down a slew of patches, and that would be to not provide the fixes at all. I use and support free and open source software. However, I could never understand why liking one thing should lead to hating another.

Two things are worse: not

fest3er8's picture
Submitted by fest3er8 on Wed, 10/13/2010 - 23:07.

Two things are worse: not providing updates and providing updates in such a way that you cannot determine what the patch affects. The LWN RSS feed gives me a nice heads-up as to what is being fixed in Debian. And aptitude shows me what will be updated, letting me choose which to update now, and which to leave for later.

Pointless

Anonymous's picture
Submitted by Anonymous (not verified) on Wed, 10/13/2010 - 11:12.

Waste of electrons.

RE: Pointless

Joe Flynn's picture
Submitted by Joe Flynn (not verified) on Wed, 10/13/2010 - 15:13.

Save the electrons!

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState