Per, On Monday 20 June 2005 13:05, Per Jessen wrote:
Randall R Schulz wrote:
...
I'd say your paranoia is best directed elsewhere.
Randall, I (obviously) disagree about this being paranoia. As a sysadmin you should be fully aware of what is running on your systems. Applying patches and fixes more or less in the blind is not the way to go about that. Whether or not you trust the supplier.
This just does not make any sense. They do detail the changes they put into each YOU update. And again, if you don't trust the provider you've chosen, then you might as well skip a commercial distribution altogether and build the system from sources yourself. That's the only way you'll be "fully aware of what is running on your systems." That, and read and fully comprehend all the source code for that software. You might as well write all the software you're going to run if you feel you need such a total, complete, and deep understanding of the code you're running. What you're saying just doesn't work in practice. You have to trust someone or you won't get anywhere. And no matter how much you think you know about what you're running, you can't be fully assured of preventing crashes, break-downs or break-ins. And the characterization "blind" is yours, not mine. To make it a policy to install all kernel updates doesn't mean install them without being aware of what they do or contain, just that in order to be abreast of all the security and bug fixes extant, you can't skip releases.
many of us run systems that are not what is usually considered "production."
I totally appreciate that, but I don't think it can be taken as the rule. (Why stick to only SuSEs patches if you're not in some form of controlled environment?)
It's not a rule, just a recognition that many people aren't using SuSE Professional to run mission-critical systems. And many people will advise you _not_ to use SuSE Pro or Fedora for such systems and stick to the more reliable "enterprise" variants from the respective vendors. My employer runs its huge fleet of production Linux systems on RHEL3. Sadly, we have to use the same for development, which irks me, but I live with it.
My policy, which has not caused me any problems, is to apply all YOU patches. For the most part, I'm greedy about new software, new capabilities and enjoying the nice steady stream of improvements that issue forth from the Open Source community. Take KDE, for example: Over the past year it has progressed immensely, and I for one would not want to forgo all those improvements.
On my personal workstation I apply exactly what you've just described, but for most other systems, customers depend on them being up and running, so the risk involved in applying an _unnecessary_ (kernel or not) patch is not warranted. There's room for everyone of course, but I have a number of production systems to run 7x24. Downtime is scheduled about one month in advance, preferably around Christmas :-) My general system uptimes are +300 days with a couple of exceptions in both ends.
Again, SuSE Professional is a leading-edge distribution. If you have these requirements, then it's a dubious choice to use such a distribution instead of one of the more stable enterprise counterparts.
Anyway, I was merely trying to suggest a careful change policy, I didn't intend to dictate to anyone how to run their system(s).
And I don't think my suggestion is lacking in carefullness, but as you say, each system administrator must make that determination for themselves.
/Per Jessen, Zürich
Randall Schulz