This sounds fascinating - I'd love to know more about *ix permissions,
securing Orion properly etc.
You sound like you've got it all down pat, if you wouldn't mind, I'd love to
learn more about your setup - as I'm sure other Orion users would. How about
writing a quick how to doc about securing Orion on *ix?
The OrionSupport team will love you for it ;)
Mike
> -----Original Message-----
> From: Jim Archer [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, October 22, 2000 1:18 PM
> To: Orion-Interest
> Cc: Mike Cannon-Brookes
> Subject: RE: Orion in production - autoupdate tool
>
>
> Actually, I'm not sure the auto-update tool is very usefull at all in
> production. For security reasons, we don't allow Orion write access to
> itself.
>
> If we configure our operating system to allow Orion to over write its own
> code files, we create a serious security hole. A hacker may discover an
> exploit in Orion that gets it to change its files and open a
> security hole.
> If Orion can't write to itself, this can't happen. Configuring an
> app like
> a web server to not have write access to itself is security
> measure number
> 1.
>
> Jim
>
> --On Sunday, October 22, 2000 12:09 PM +1000 Mike Cannon-Brookes
> <[EMAIL PROTECTED]> wrote:
>
> > Robert,
> >
> > I agree with some of your points, and I have a 'semi' solution that I've
> > told Magnus about before.
> >
> > The autoupdate tool is brilliant, but too addictive. Sometimes I've
> > updated to get fixes for bugs, only to get another version with a
> > different annoying bug.
> >
> > If it had the option to autoupdate to the latest 'stable'
> version, or the
> > latest 'rough edged' version, it would be perfect.
> >
> > eg java -jar autoupdate.jar -version=stable / development
> >
> > Oh, and to Al who says he can't see Orion because it's too inexpensive?
> > Just tell the client it's $10k, bill 'em $10k and they'll love
> you for it
> > - oh, and either pocket the $8.5k or donate it to the Orion guys, I'm
> > sure they wouldn't knock you back ;)
> >
> > Mike
> >
> >> -----Original Message-----
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Robert Krueger
> >> Sent: Sunday, October 22, 2000 5:19 AM
> >> To: Orion-Interest
> >> Subject: RE: Orion in production
> >>
> >>
> >>
> >> At 07:46 21.10.00 , you wrote:
> >> > I think that Orion far outshines products like EA Server, Web
> >> Sphere, etc
> >> > because
> >> > of the functionality available - and you are right - the
> docs are just
> >> > a little more pretty
> >> > and their tech support is absurdly costly and much less informative
> >> > than what is found on
> >> > this list.
> >>
> >> <snip/>
> >>
> >> ok, sorry to somehow take the part of mr. bad guy here but I get the
> >> feeling someone following this discussion IMHO doesn't really get
> >> the right
> >> impression. it's a little bit too black and white. first of all,
> >> let me say
> >> that after about a year of intensively using orion in development
> >> and half
> >> a year in production, I'm a generally very satisfied customer and I do
> >> appreciate the completeness, standards conformance, speed,
> great logical
> >> concept of orion. however, I think it's oversimplifying things to
> >> say it's
> >> just marketing that makes the big names so expensive (it's a
> significant
> >> factor, though) and it's not a very good assessment to say that
> >> orion beat
> >> all competitors' asses if it weren't for the lack of good
> documentation.
> >> there are some significant things that are a lot of work and
> >> therefore very
> >> expensive like QA and rigid testing with many, many hardware,
> >> software, db,
> >> vm combinations that a company the size of evermind simply
> cannot deliver
> >> (have you looked at the number of platforms you can get
> websphere for?).
> >> anyone who says that write once run anywhere really works 100% probably
> >> hasn't been involved in too many real-world projects where certain
> >> combinations of VMs and software just crash under certain load
> >> conditions.
> >> that's why e.g. weblogic is tested and certified for a particular
> >> platform.
> >> of course, part of this certification stuff is to keep the typical IT
> >> manager happy but to say it's all bullshit is off-target and not very
> >> professional IMO. when orion became officially stable (1.0) it still
> >> contained many very serious bugs and I presume it wouldn't
> have been 1.0
> >> time if it hadn't been for J1. the flexibility and development
> >> speed of the
> >> orion team takes it's toll in the number of fundamental bugs in
> >> those very
> >> features. with a few exceptions I doubt many of those would
> slip through
> >> bea or ibm QA. I sometimes think it feels like an open source
> project but
> >> without the source. a very loyal user community and very short release
> >> cycles but still lots of rough edges.
> >>
> >> don't get me wrong. I'm a great fan of orion and I think for many
> >> projects
> >> it's an unbeatable tool with no serious competitors especially
> >> considering
> >> the price and I think magnus and karl are extremely good software
> >> architects and true J2EE wizards but I think there are some more
> >> things one
> >> has to consider before making the kind of statements that have
> >> been made in
> >> this thread. at my company we share the experiences with a
> very efficent
> >> development environment using orion together with jikes and ant
> >> but we also
> >> had our share of spending considerable amounts of time working around
> >> serious bugs or waiting for fixes for showstoppers.
> >>
> >> to sum things up, IMO orion is a great deal and it completely
> meets (and
> >> exceeds) the requirements many people have for an appserver but it does
> >> have its rough edges (and that's not primarily the documentation
> >> IMO). I'm
> >> quite sure that those will fade away eventually but evermind
> >> still has some
> >> work to do in the areas QA, support and documentation.
> >>
> >> let's just hope they don't get bought out and manage to grow
> >> quickly yet in
> >> a controlled manner so they can continue developing a kick-ass server.
> >>
> >> just my 2c
> >>
> >> robert
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> (-) Robert Krüger
> >> (-) SIGNAL 7 Gesellschaft für Informationstechnologie mbH
> >> (-) Brüder-Knauß-Str. 79 - 64285 Darmstadt,
> >> (-) Tel: 06151 665401, Fax: 06151 665373
> >> (-) [EMAIL PROTECTED], www.signal7.de
> >>
> >>
> >>
> >
>
>
>
>
