Hi! On Wed, Aug 16, 2006 at 05:07:46PM +0100, Ian P. Christian wrote: > Twice you've suggested there are problems, and it's ok because there > haven't been many. This really isn't the case. I can't afford to
In my exp and after reading ml I think constant updates in x86 result in
1-2 issues per year. I think it's ok. I think it's better to get these
issues isolated, after updating 2-3 packages, and with ability to fallback
to previous package versions, than get these issues after massive update
of everything every 6-12 months and without ability to fallback.
Also I'm usually make `emerge --sync` and then wait 2-3 days reading ml
before running `emerge -uDNa world` - only in hope to avoid these
'1-2 issues per year', because if something so bad happens ppl in ml
usually notify about it very quickly.
> systems and test them out properly. Perhaps giving them a week or two's
> worth of stress testing.
Yeah, I'm doing this 1-2 week stress testing by installing updates on
developers servers first, then on production servers. But this really
needed then some core package updated - linux kernel, perl, mysql, apache -
everybody has own list of critical packages and it isn't too big usually.
> I'm sorry, but that is just crazy talk ;)
> You clearly don't deal with PHP, where a point release can break a LOT
> of things, some things you might not notice by loading 2 or 3 pages from
> a website.
Yeah, you right about me. I don't deal with PHP and I never administrate
more than 5-6 servers. :) But I think it happens sometime, so this
discussion is very interesting for me - I wanna learn other's experience
and be ready for situations where my own experience will not work anymore.
It still isn't clear for me why update strategy for 100 servers differ
from 5-6 servers. I don't believe in 100 servers doing really DIFFERENT
tasks with really different configurations (at least - in all these
servers managed by single admin :)). If most of these server has similar
configurations then it's ease to setup few test servers updated
constantly and have production servers updated with some delay after test
servers.
P.S. About PHP. I don't deal with PHP because of only one reason:
I convince my boss what PHP is too unsecure (Ohh, I feel millions of PHP
fanatics will kill me now :)) and we moved all our PHP apps into
dedicated server, which we specially buy for this task, and I'm not really
think about security and updates of this server - I'm sure it can be hacked
just because of holes in PHP scripts which I can't audit and fix.
This may sounds terribly, but... overall security equal to security of
weakness place, and I don't think my attitude to updating this server
lowering it overall security. Myself, selecting between hacking one of
apache/ssh/qmail services on non-updated-in-12-months server with Hardened
Gentoo and hacking a lot of different (both custom and opensource) PHP apps
on this server will choose PHP without thinking too much. :)
--
WBR, Alex.
pgpyxtC2G8apk.pgp
Description: PGP signature
