On 11/16/10 1:19 PM, Jeff Schroeder wrote:
Security is way too big a concern for us, even in closed off environments. You do know that the linux kernel has had a butt-load of root level exploits in the past year, much less multiple years?I hear that and agree with it. But when you're hosting a dedicated server for a client and that client has absolutely forbidden that the server be taken offline-- even for security updates-- what do you do? I made the argument, explained the risks involved, and was told that the priority is to keep the server up and available.After a while you pass a point of no return-- the software on the server is so out of date that upgrading it to the latest security patches means changing a hundred packages on the server. And that means downtime and (much more problematic) software on the server that no longer works because it was built years ago atop certain libraries that no longer exist because they've been upgraded. It's a tough place to be. The client pays me to keep the server running and not patched, and they're aware of the risks, so I do it. It's still cool to see something run for four or five years straight though. :) Jeff
Totally cool to have an uptime that long, I agree, but I have been down the path of pain and futility that you describe, and in the long run, it is bad for EVERYONE in the data center when it gets compromised (not if, but when). I stand firm in the policy that I won't have a server that is not routinely patched. They can find another location if that is their attitude, because a compromise costs a lot of people a lot of money, and patching vulnerabilities is so simple an issue to avoid.
smime.p7s
Description: S/MIME Cryptographic Signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
