Lists Home |
Date Index |
we have (and have had for a long time) mandated installation items and
practices to maximise reliability - part of which is constant upgrading.
as part of that i get the security feeds from cert - www.cert.org - and
monitor them carefully. it's interesting that open source software is
still having potential problems logged, and as i mentioned, often within
24 hours, but certainly a couple of days, redhat is distributing a
patch. i think they really set the standard here - oss coders for the
fixes, and redhat for getting it out there.
ms has hardly been mentioned lately which i guess means they've been
successful and fixed all their security issues (sic).
i'm waiting o see xml security issues start appearing - and wondering
about how they will be fixed.
On Fri, 2003-10-03 at 00:46, Bullard, Claude L (Len) wrote:
> I don't have experience with Red Hat. My experience with
> MS is improving quickly. The announcements now come fast
> and the Windows Upgrade process is easy. That's a desktop
> perspective, but I do have SQL Server running locally, and
> so far, so good. When the Love bug hit the wires, we had
> some serious problems here. Since then, our IT department
> has become not politely but strenuously insistent, to the
> point of Draconian measures when needed to get the attention
> of the droid owners. Hopefully, everyone has gotten the
> message that security is a serious business issue. But have they?
> Here is the kind of thing that frustrates the IT folks:
> "It's no secret that the advantages of upgrading operating systems or
> application software has diminished quite significantly over the last few
> years. If you look back over history, there were great advantages from one
> release to another. You just don't get that anymore. You just don't get the
> bang for your buck switching from 2000 to XP.
> --Toni Duboise"
> It's just dead wrong and spreading the idea contributes to
> the problems by insisting there is no value
> in getting a better operating system. XP is waaaay better
> than 2000 and one can see that easily by dropping some
> more RAM into the machine and watching what happens.
> Security is better but not perfect. There is something
> to be said for killing Outlook Express whereever one
> finds it. Scripting inside mail systems is a bad brew.
> So part of the problem is the old legacy not having been
> fully patched, part of it is competence in that sloppy
> code gets released, part of it is institutional in that
> sloppy code isn't discovered early enough, part of it is
> architectural in that the trade offs of ease and security
> aren't fully understood and implemented, and part of
> it is cultural, in that the web culture has yet to
> mature to the point to realize the deep nature of its
> interdependencies and the folly of unsavory or ill-informed
> Everyone is learning. We need to encourage collboration
> on solving these problems, learn to improvise and work
> together quickly, and stop stomping on each others lines
> or riffs just to get more of the spotlight on ourselves.
> A theatre troup banishes an actor who does that and any
> technician that helps them. A jam band beats them up. ;-)
> From: Rick Marshall [mailto:email@example.com]
> that's why i primarily use windows 2000/xp and redhat linux distros -
> redhat in particular is very fast at getting fixes out - so they
> obviously recognise the problem from a business perspective. ximian has
> an alternative that is almost as good. microsoft does the job, but i
> find it's response a bit patchy although i haven't done the stats.
> basically i watch the announcements from cert and then how long to get a
> fix from the vendor.
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> The list archives are at http://lists.xml.org/archives/xml-dev/
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>