[nzlug] Stupid question department

Daniel Pittman daniel at rimspace.net
Mon Oct 2 13:27:45 NZDT 2006 

Volker Kuhlmann <hidden at paradise.net.nz> writes:

>> I manage is exactly this: we found that the cost of trying to backport
>> security ourselves would have been vastly higher than the top end
>> license cost of a RedHat or SuSE "Enterprise" product.[1]
>
>> [1]  ...and infinitely more than the cost of using Debian or Ubuntu, who
>>      do the work to backport fixes for free, and faster than the
>>      commercial operations in many cases.
>
> Yes, and in the case of Ubuntu, twice recently you got what you paid
> for: broken security "fixes" taking your system down. 

I am curious which bugs you mean.  I am aware that a kernel update
caused an inadvertent ABI bump, resulting in binary-only drivers such as
the NVIDIA video driver failing.

I am also aware of some issues in packages released as part of the
dapper-updates stream, which caused X to fail.  That was related to
changes to the PCI probing code, intended to better support machines
with multiple PCI bus domains.


However, I may have missed other issues and would appreciate if you
could direct me to information on them.  If there are other problems I
would like to be aware of them.

> Speed isn't what you want most here. You want a fix which a) fixes the
> security hole, b) keeps your system running as before, so you can feel
> confident that the time you save by using vendor fixes isn't gobbled
> up by your emergency repairs.

Absolutely.  That was implicit in what I wrote, although it should have
been explicit, I guess.

In my experience Debian definitely provides that, and Ubuntu has done
almost as well.  


Obviously, though, if there have been serious breakages that I am
unaware of then my opinions may well be wrong -- an error I would very
much like to correct.


> I know that e.g. SUSE does a lot of regression testing before
> releasing fixes, which obviously increases release time. 

Yes, it certainly can.  


> Also, at least SUSE provides the fixes for free (or did you mean
> specifically Linux "enterprise" products?), 

I did specifically mean the enterprise products, and only those.  In
both cases the security fixes are free, but only if you already paid the
up-front license cost for the software.


> so neither your "faster" nor your "cheaper" argument applies. Scratch
> that footnote, the rest of your argumentation was good.

Well, Ubuntu still deliver faster updates in many cases -- but the cost
would be unacceptable high if they were routinely faulty.

I do stand by the cheaper argument.  The free options from RedHat and
SuSE come at the same cost, but they certainly don't come with the same
assurance that your security fixes will be trouble-free that the
enterprise versions do.


They are not the only considerations, though, and thank you for making
that explicit.

Regards,
        Daniel
-- 
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707        email: contact at digital-infrastructure.com.au
                 http://digital-infrastructure.com.au/

More information about the NZLUG mailing list