On Sun, 2004-11-07 at 04:35 +1100, O Plameras wrote: > From then on, installation, distribution, and maintenance is the same as > you would with any system. So, for a kernel-bridge-firewall installation > for example build-once and distribute-to-many is the procedure. One does > not re-compile physically on each computer in the organization every > time there is a patch that is to be made.
I think that the original question had two parts which you have not answered: a) How do you ensure your 'master' is current with all the patches? It would be interesting to be specific. How did you deal with the Debian break-in for example? Did you have the AM patches in already or did you include them and roll them out urgently? As an aside do you rely on kernel source trees or distribution source trees. I use Debian source to build my firewall's kernel so I get the benefit of any patching that debian may have done. b) How do you ensure that your clients are updated to the revised copy on an ongoing process? It is a serious problem because rolling out security updates is a low priority problem for a number of smaller companies because 'I have not been hacked yet'. (Kind of like my home backup principles :-) ) Unless you install yourself. PS: While the break-in is not a glowing recommendation on Debian :-( We can all afford to learn and see the fact that security is a real problem of balance between stability and security. It even destroys those who describe uptime as a measure of success. (So you have not applied kernel patches for 2 years on your firewall, interesting...) -- Ken Foskey -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
