1 |
On Tue, December 7, 2004 3:12 am, Mariusz Zalewski said: |
2 |
> Andrew Cowie wrote: |
3 |
>> Gentoo is excellent from a security standpoint; either a version bump or |
4 |
>> a backported patch tends to be made available very quickly, especially |
5 |
>> on the various things that tend to be in production use. |
6 |
> |
7 |
> Did any institution or organization made some measurement? I mean - how |
8 |
> much time does it take from 0 day (when the critical bug is discovered |
9 |
> in the most popular server services: ssh, ftp, apache...) to the time, |
10 |
> when new ebuild is available from emerge? Did anybody made this |
11 |
> measurement? |
12 |
|
13 |
Gentoo balances security risks with stability risks and promotes things in |
14 |
a very reasonable timeframe. No stable distribution has instant promotion |
15 |
of patches. If Gentoo did, I wouldn't trust it on my servers, because it |
16 |
probably wouldn't be very stable. But don't forget that the Gentoo team |
17 |
has to test on a lot more configurations than just what you have, so it |
18 |
will take some time. |
19 |
|
20 |
If you think the patch is critical enough, and it's not in portage yet, |
21 |
then just apply it yourself. If your a professional running real |
22 |
production systems, than you're being paid to look after your systems. |
23 |
Stop relying on the Gentoo team to do your work for you. For my servers, |
24 |
any critical listeners that are on the Internet are *not* emerged. I use |
25 |
portage for quick and easy base-system maintenance. But my critical |
26 |
servers that are most vulnerable - e.g. apache, php, squirrelmail, qmail, |
27 |
courier-imap, etc. - are all hand-rolled. I download the source patch, |
28 |
build it on a test system, confirm that my applications work against it, |
29 |
and roll it onto my prod system. For critical patches, it's often done in |
30 |
a few hours. There's *no way* any distro can beat that time frame without |
31 |
significant risk of destabilizing most of their user base. I can do it |
32 |
because I have only one configuration to test. |
33 |
|
34 |
-Eric |
35 |
|
36 |
-- |
37 |
arctic bears - email and dns services |
38 |
http://www.arcticbears.com |