News from PANUG/BizNix - October 6, 2003 http://panug.org - http://biznix.org PATCHING SYSTEMS - AN EVALUATION by Gregg Berkholtz - PANUG Board member Last week, Ray Robert said that he spent "the morning" patching his Linux systems and "much of yesterday" patching his Unix systems. He concluded with "Standardizing on one system is looking pretty good to me." He didn't say which system he would choose. How do the major operating systems compare in terms of patching? Between my employer systems, my personal systems, and the systems of a local consulting firm, I manage (including patching) around 250 Win32 desktops (NT4 and 2K), about 40 Linux, 15 Netware, 3 Sparc Solaris, and 3 SCO OpenServer systems. In general, I've found the systems to be patchable in this order of ease and stability: Linux (Debian 3.0 and RedHat 7.2) Solaris (Sparc 9 and 7) Win32 Novell SCO OpenServer LINUX: The Debian Linux distribution is by far the best for patching. Security issues are usually fixed within hours and they only patch the existing production code. They don't force you to upgrade to the latest version of the package, which sometimes brings in bugs, incompatibilities, or other quirks I don't want to deal with right then. The RedHat distribution running with APT (not RPM) is second, because it takes a bit longer (usually by a few hours) to make the patches available. For both the Debian and RedHat systems, I use a suite of tools known as "APT". The apt tools are native to Debian but were ported to Red Hat by Conectiva (see: http://freshrpms.net/apt). Apt is a tool that automatically determines interdependencies between various programs/packages, and automatically downloads and installs them for you. You can either have APT download and compile the source or you can just have it install the pre-built binary packages. In what I estimate is 95% of the patches, it's just a matter of running these two commands: apt-get update apt-get upgrade The first command updates the local database, so the APT tools know what's available for download and is aware of package/program interdependencies. The second program actually does the work. I rarely supervise the work. It runs unattended. In seven years, I've never had a significant problem though I do double-check the more critical systems. For the recent OpenSSH/OpenSSL issue, all my Linux servers were patched in 15 to 20 minutes without disrupting production. In addition to using APT for patching systems, it can install and uninstall software. I've used it to perform major OS upgrades (ie: from Debian 2.2 to 3.0), which included things such as a major library change, as well as major kernel upgrades, and updates to nearly every binary on the systems. Major OS upgrades are a different animal than just a patch installation, and I was genuinely surprised when nothing went wrong - despite all the warnings. SOLARIS: I use a tool known as pkg-get, which is modeled after the Linux APT tools and behaves in very much the same way. For Solaris 7, 8, and 9 there's also the Solaris Patch Manager that seems to work. WINDOWS: We use Novell's ZENWorks to manage patches. Patch revision management is cumbersome and labor intensive even though our environment is fairly standardized. Frequently, Microsoft's patch tools say the system is patched but the actual system files have not yet been replaced. Sometimes some files are replaced but others are not. It's a convoluted mess and consumes much of my time. Microsoft's products are really in need of a decent, enterprise- manageable patch management process. One that is truly integrated into the OS, and the standard software install routines. One that keeps my systems inventories internal/private to us, and allows for rapid, stable, and reliable forced deployment of patches. Now there's where Microsoft could "innovate". Instead of trying to stomp-out competitors in other areas, how about catching up to the rest of us? Eh, now I'm dreaming. NOVELL: For the NetWare/GroupWise world, patch management is not much better than Windows. Their patch bundles frequently leave a server unbootable, or otherwise unusable. Novell has a long history of only documenting 2/3 of the actual changes included. Novell techs have admitted this to me, blaming it on a "last minute addition". Uninstalling patches on NetWare are a joke. Windows patches uninstall better. As for security updates, I've found myself stumbling over security vulnerabilities that are patched in an undocumented manner in major patch releases; no notes with the major patch and no separate security vulnerability announcement. Other times, the only way to install a security patch is to install the whole OS service pack. There seems to be little concept of a hot-fix which resolves a specific issue. Ok, now I'm ranting. I am aware of no APT-like tools for NetWare either. SCO OPENSERVER: As best as I know, there are no APT-like tools for SCO, and given SCO's inappropriate actions against the OSS community, development of something seems slim. SCO has sometimes taken longer than six months to announce and release patches for crucial software. OpenServer is so finicky and unstable when it comes to patching, it's hardly surprising automated tools are not available. We're replacing our SCO servers as fast as we can. Maybe my standards are too high. WHAT'S HAPPENING TO RED HAT LINUX? by Ken Barber The reports are true: the current version of Red Hat Linux (RHL), version 9, is the last. There will not be an RHL 10. The rumors are false: Red Hat is not getting out of the Linux business, and Linux in general is not going away. Red Hat is simply shifting their focus to their flagship product: Red Hat Enterprise Linux (RHEL), a commercial- grade Linux with emphasis on stability and long product lifetimes. The old RHL product has metamorphosed into The Fedora Project, a Red Hat-sponsored and community-supported distribution whose first release is scheduled for November 3. Red Hat engineers will contribute to Fedora as will developers outside of Red Hat Corporation. Fedora's repositories will reside mostly on Red Hat-owned servers, and updates will be available through Up2date and Red Hat Network. However, Red Hat will not provide user support for Fedora, nor will Fedora be available in a boxed set for retail purchase. Red Hat Enterprise Linux is a software suite that will have new releases every 12-18 months and a product life cycle (i.e., official support) of at least 5 years. The next release, 3.0, is due in another couple of weeks or so and future releases will be based on then-current Fedora releases. Customers wishing to purchase a boxed, supported workstation Linux product from Red Hat will find the new RHEL Workstation product priced -- and supported -- very attractively. More information on the Fedora Project, including an FAQ, is available at: http://fedora.redhat.com/ Information on Red Hat Enterprise Linux is available at: http://www.redhat.com/software/rhel/ NETTOP DESKTOP by Ray Robert The Defense Department's National Security Agency is in final testing of its NetTop desktop. This integrates elements of VmWare into NSA's Security-Enhanced Linux OS. The goal is to allow secure access of unclassified and different levels of classified applications on the same physical machine. Meanwhile, the Dept of Homeland Security is going with Windows. One hopes that DHS will at least consider NSA's Security Recommendation Guidelines for Windows (http://nsa2.www.conxion.com; includes guidelines for Cisco routers). Many proprietary Windows products such as Microsoft Office versions before 2000 won't run on Windows secured to NSA levels. GOVERNMENT SYSTEMS by Ray Robert A columnist discusses government use of open source vs. proprietary software: http://gcn.com/22_28/tech-report/23567-1.html It doesn't cover a lot of new ground, but identifies the major players and arguments. Reaches what is to me the obvious conclusion that it is "ill-advised" to require all agencies to use one or the other. MORE SCO The following Web page speaks to the SCO issue: http://oss.sgi.com/letter_100103.txt DISCLAIMER PANUG and BizNix welcome contributions from all members. Member contributions do not necessarily represent the official positions of PANUG or BizNix. The views of members that contribute frequently may appear to be the official position of the group(s). If you contribute, you'll be adding vital diversity of opinion and outlook to these broadcasts.