[PLUG] On the topic of distributions

[Rich Shepard]

On Wed, 22 Jan 2003, Dan Young wrote:

> Gentoo's announce mailing list is largely announcements re: security
> fixes. Even if you don't read those, as soon as the ebuild is updated
> and unmasked, you'd see it in your "emerge rsync && emerge world -up
> --deep" sequence. That is roughly equivalent to debian's "apt-get
> update && apt-get upgrade -s". The recent CVS vunerabilities were
> patched faily quickly by this route.

Dan,

  It's nice to see distributions building on the good ideas of others.
 
> Regardless of what distribution you use, it's worth _at least_
> scanning the headlines at lwn.net if just to know what vulnerabilites
> are out there. Most of the high-profile ones show up there. Some
> places take longer than others to release patched versions. Do you
> really want to wait for your distribution to tell you about the remote
> root exploit in foo-1.23?

  IMO a lot depends on one's environment. You are in a public school
environment and I'm in a tiny office environment. Chances are more than good
that I don't run foo-1.23. I don't run my own Web or ftp servers because I
don't want to be distracted by keeping the secure. And, I don't need to
worry about internal threats -- unless I'm tired, not paying attention and
do something really stupid. Which I have done several times.

Many thanks,

Rich

Dr. Richard B. Shepard, President

                       Applied Ecosystem Services, Inc. (TM)
            2404 SW 22nd Street | Troutdale, OR 97060-1247 | U.S.A.
 + 1 503-667-4517 (voice) | + 1 503-667-8863 (fax) | rshepard at appl-ecosys.com
                         http://www.appl-ecosys.com/