I've gotten a little over halfway through the report now, and I believe I now understand the major flaw in it. The report makes a big deal of the fact that the Enterprise versions of SUSE and Red Hat don't upgrade versions during the life of the platform. Only security fixes and some functionality backports are issued. They make the point that Open Source development continues onward, and that new versions are released regularly, so 3rd party developers may not develop using the same packages on their systems that SUSE and Red Hat do. Which is pretty much nonsense for any major ISV. If you want your product to run on SLES8, and you want to certify your product on SLES8, you develop it on SLES8.
The study designers decided to require the installation of 3rd party products that required the system administrators to download and (in some cases compile) and install versions of packages that were not distributed and not supported by Novell/SUSE on SLES8. As you say, that pretty much makes everything that follows afterwards nonsense. Speaking from personal experience, my team's response to that would have been "No. If you want that functionality, you need to find something that will work with what Novell ships. If that means we need to build new servers with a newer version of SLES, OK, but we're not installing stuff that doesn't come from Novell." As you mention, I'm not aware of too many places that install patches every month. Our security teams rank vulnerabilities, and anything over a certain level has to be patched within 30 days. Others must be patched within 60 days, and so on. We typically try to keep to a quarterly patching cycle for fixes that don't require faster responses. I suspect the "patch every month" decision had some influence from the Windows SA practice of "preventive reboots" on a regular basis. The general idea of the study was a good one, but they violated some pretty basic IT principles in their choices of how to actually do the study. What can I say except it seems that when MS money flies in, reason seems to fly out for these kinds of companies. Mark Post -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of John Summerfied Sent: Saturday, November 19, 2005 6:16 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Windows Server thrashes Novell's Linux Post, Mark K wrote: > How many of those patches were against packages that would not be in a > base Windows install? I didn't see any URL to the actual report, so I > can't answer that myself. There's a Clayton's link to http://www.microsoft.com/windowsserversystem/facts/default.mspx which links to http://www.microsoft.com/windowsserversystem/facts/analyses/sievolving.m spx where you can download the report. -snip- I found the monthly update cycle for both interesting. How often do people really patch their Linux systems? -snip- > I have to give Microsoft credit for greatly improving their security > over the last couple of years. That simply doesn't fix a security > model that's outright broken to start with. The big problem arose when requirements changed resulting in acquistion of software available for both Windows A Linux. Fair enough? The requirement should have specified Windows 2000 and SLES8 and plans/commitments for future releases. A cynic would say one of the criteria of the software that was chosen was that it not be compatible with SLES8: the package actually chosen required a glibc upgrade, and of course if your sysadmin insists on doing that the system will break. I've not read the entire report; once I discovered that it lost all validity IMV, but I'd inspect it more closely were I choosing (or advising in the choosing) between W and L. Not all the report is junk, it does make some good points. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390