| 1 |
On Tue, December 7, 2004 3:12 am, Mariusz Zalewski said: |
| 2 |
> Andrew Cowie wrote: |
| 3 |
>> Gentoo is excellent from a security standpoint; either a version bump or |
| 4 |
>> a backported patch tends to be made available very quickly, especially |
| 5 |
>> on the various things that tend to be in production use. |
| 6 |
> |
| 7 |
> Did any institution or organization made some measurement? I mean - how |
| 8 |
> much time does it take from 0 day (when the critical bug is discovered |
| 9 |
> in the most popular server services: ssh, ftp, apache...) to the time, |
| 10 |
> when new ebuild is available from emerge? Did anybody made this |
| 11 |
> measurement? |
| 12 |
|
| 13 |
Gentoo balances security risks with stability risks and promotes things in |
| 14 |
a very reasonable timeframe. No stable distribution has instant promotion |
| 15 |
of patches. If Gentoo did, I wouldn't trust it on my servers, because it |
| 16 |
probably wouldn't be very stable. But don't forget that the Gentoo team |
| 17 |
has to test on a lot more configurations than just what you have, so it |
| 18 |
will take some time. |
| 19 |
|
| 20 |
If you think the patch is critical enough, and it's not in portage yet, |
| 21 |
then just apply it yourself. If your a professional running real |
| 22 |
production systems, than you're being paid to look after your systems. |
| 23 |
Stop relying on the Gentoo team to do your work for you. For my servers, |
| 24 |
any critical listeners that are on the Internet are *not* emerged. I use |
| 25 |
portage for quick and easy base-system maintenance. But my critical |
| 26 |
servers that are most vulnerable - e.g. apache, php, squirrelmail, qmail, |
| 27 |
courier-imap, etc. - are all hand-rolled. I download the source patch, |
| 28 |
build it on a test system, confirm that my applications work against it, |
| 29 |
and roll it onto my prod system. For critical patches, it's often done in |
| 30 |
a few hours. There's *no way* any distro can beat that time frame without |
| 31 |
significant risk of destabilizing most of their user base. I can do it |
| 32 |
because I have only one configuration to test. |
| 33 |
|
| 34 |
-Eric |
| 35 |
|
| 36 |
-- |
| 37 |
arctic bears - email and dns services |
| 38 |
http://www.arcticbears.com |
Archives