[PLUG] Joe Jobbed

Aaron Burt aaron at bavariati.org
Wed Oct 10 16:21:08 UTC 2007


On Tue, Oct 09, 2007 at 11:59:27PM -0700, Ronald Chmara wrote:
> On Oct 9, 2007, at 9:25 AM, Aaron Burt wrote:
> > On Mon, Oct 08, 2007 at 08:20:21PM -0700, Ronald Chmara wrote:
> >> On Oct 8, 2007, at 11:06 AM, Aaron Burt wrote:
> >>> On Fri, Oct 05, 2007 at 08:11:07PM -0700, Ronald Chmara wrote:
> >>>> I blame lazy distros, who don't keep on top of security (Cent,
> >>>> Debian, Ubuntu, RHEL... the whole lot of 'em are to blame).
> >>> What makes you say that?
> >> Because every vendor-driven package manager I've used lately is 1-24
> >> months behind the latest security and stability fixes for some (or in
> >> a few cases, many) of its packages.
> > Really?  Do you have specific and significant examples that you could
> > warn us about?  Name 'n' shame is the security game.
> 
> CentOS 5, RHEL5 (etc.):
> #php -v
> 
> If you're not at 5.2.4 (or a patched equivalent), you're running bad  
> code, with literally *thousands* of security and stability patches  
> omitted.
> 
> > And how do *you* deal with it?  Does it work for an admin who's
> > time-poor, needs to automate tasks and handles many hosts?
> 
> I walked into a nightmare on my current job, 4 distros, no standard  
> configure strings, no standard libraries, no documentation.

Par for the course, innit?  "Well, the backup app that management forced
down our throats is only supported on DeadRat, but the old sysadmin
liked DebbieDuz, and the intern we had 2 years ago was a Gentoo ricer,
but he was too busy optimizing the IRC server to harmonize the configs..."

> Here's what I'm rolling out (over time, big companies move slow):
> One distro.

I don't mean to start a distro war, but which one?

> One .configure for the binaries.

Hm?  So you're not using packages, just compiling from tarballs?

> .configure files based on the machine's "role" (mysql server, php  
> server, etc.)
> ..and so on.
> 
> > I've certainly come to
> > appreciate distribution packages and updates, and careful
> > version-control of packages and config files.
> 
> It's not the binaries, it's the controlled *process* that matters.

Correct.  Security is a process.  Reliability is a process.  Keeping
your clients happy is a process.  Systems administration is the process
of balancing all of that against human and technical limitations.



More information about the PLUG mailing list