lhecking at users.sourceforge.net
2015-May-06 11:04 UTC
[CentOS] VirtIO drivers and CentOS 5.4(Final)
> You have several hundred more Critical or Important security updates > outstanding. If that box touches the Internet in any way, it is likely > compromised. Just in the last 6 months there are 21 Important or > Critical updates.That is an important qualifier: *If* that box touches the Internet in any way. Although one might add that attacks on the LAN can be nastier since there usually is local access. While I'm all for keeping machines current, there are production environments where upgrading is a huge pain or outright impossible. Where any upgrades need to undergo a rigorous QA process. Where an outdated environment including equally outdated production tools needs to be maintained, on the chance e.g. that a customer return requires reworking an old part. I would consider it part of list etiquette to not second-guess those who for one reason or another make a conscious decision to stick to a particular environent. I will no doubt be told that CentOS 5.4 = CentOS 5.11 = CentOS 5, ie. the same OS, but this is not strictly true. For example, it would appear that autofs breakage and performance loss is at a minimum in 5.4. There :)
On 05/06/2015 06:04 AM, lhecking at users.sourceforge.net wrote:> >> You have several hundred more Critical or Important security updates >> outstanding. If that box touches the Internet in any way, it is likely >> compromised. Just in the last 6 months there are 21 Important or >> Critical updates. > > That is an important qualifier: *If* that box touches the Internet in any way. > Although one might add that attacks on the LAN can be nastier since there > usually is local access. > > While I'm all for keeping machines current, there are production environments > where upgrading is a huge pain or outright impossible. Where any upgrades need > to undergo a rigorous QA process. Where an outdated environment including > equally outdated production tools needs to be maintained, on the chance e.g. > that a customer return requires reworking an old part. I would consider it > part of list etiquette to not second-guess those who for one reason or another > make a conscious decision to stick to a particular environent. > > I will no doubt be told that CentOS 5.4 = CentOS 5.11 = CentOS 5, ie. the > same OS, but this is not strictly true. For example, it would appear that > autofs breakage and performance loss is at a minimum in 5.4. > > There :)Its your box and your job ... so :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150506/54a455b4/attachment-0001.sig>
Am 06.05.2015 um 13:04 schrieb lhecking at users.sourceforge.net:> >> You have several hundred more Critical or Important security updates >> outstanding. If that box touches the Internet in any way, it is likely >> compromised. Just in the last 6 months there are 21 Important or >> Critical updates. > > That is an important qualifier: *If* that box touches the Internet in any way. > Although one might add that attacks on the LAN can be nastier since there > usually is local access.+1> While I'm all for keeping machines current, there are production > environments where upgrading is a huge pain or outright impossible.updating vs upgrading? and such "impossible" cases are rare compared to the majority of EL OS installations. Saying that because the implicitness should be systems in a current state and not contrariwise.> Where any upgrades need to undergo a rigorous QA process.the solution: automation> Where an outdated environment including equally outdated production > tools needs to be maintained, on the chance e.g. that a customer > return requires reworking an old part. I would consider it part of > list etiquette to not second-guess those who for one reason or another > make a conscious decision to stick to a particular environent.they are also unconscious decisions based on missing information :-)> I will no doubt be told that CentOS 5.4 = CentOS 5.11 = CentOS 5, ie. the > same OS, but this is not strictly true. For example, it would appear that > autofs breakage and performance loss is at a minimum in 5.4. > > There :)regressions exist also in cases where some one stick on an old version. I remember that nscd was consuming the whole memory - fixed in later minor OS versions ... :-) -- LF
Leon Fauster wrote:> Am 06.05.2015 um 13:04 schrieb lhecking at users.sourceforge.net: >> >>> You have several hundred more Critical or Important security updates >>> outstanding. If that box touches the Internet in any way, it is likely >>> compromised. Just in the last 6 months there are 21 Important or >>> Critical updates.<snip>>> While I'm all for keeping machines current, there are production >> environments where upgrading is a huge pain or outright impossible. > > updating vs upgrading? > > and such "impossible" cases are rare compared to the majority of > EL OS installations. Saying that because the implicitness should > be systems in a current state and not contrariwise. > >> Where any upgrades need to undergo a rigorous QA process. > > the solution: automationAnd a) the manager who made the decision to not upgrade needs to be made aware of a) the dangers of *not* upgrading; b) the minimal risks up an upgrade (security & bugfixes), and c) needs to stop coming up with impossible schedules and put time into that least sexy thing of all, maintenance of infrastructure. And I, personally, would want an email from aforesaid manager telling me not to do any upgrades, which I would print out in several copies and put in a secure place.... <snip> mark "CYA"