On Sun, 23 Feb 2020 12:20:48 +0000, Jonathan Buzzard said: > > That's not *quite* so bad. As long as you trust *all* your vendors to > > notify > > you when they release a patch for an issue you hadn't heard about.
> Er, what do you think I am paid for? Specifically it is IMHO the job of > any systems administrator to know when any critical patch becomes > available for any software/hardware that they are using. You missed the point. Unless you spend your time constantly e-mailing *all* of your vendors "Are there new patches I don't know about?", you're relying on them to notify you when there's a known issue, and when a patch comes out. Redhat is good about notification. IBM is. But how about things like your Infiniband stack? OFED? The firmware in all your devices? The BIOS/UEFI on the servers? If you're an Intel shop, how do you get notified about security issues in the Management Engine stuff (and there's been plenty of them). Do *all* of those vendors have security lists? Are you subscribed to *all* of them? Do *all* of them actually post to those lists?
pgpTgKjWURc9p.pgp
Description: PGP signature
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
