[Gllug] Voluntary work

Bernard Peek bap at shrdlu.com
Mon Nov 17 18:46:02 UTC 2003


In message 
<Pine.LNX.4.44.0311171016440.29369-100000 at yeoshua.ukpost.com>, Jason 
Clifford <jason at ukpost.com> writes
>On Mon, 17 Nov 2003, Bernard Peek wrote:
>
>> >No.  Perhaps you don't keep up with the MS bugfixes and "security patches" -
>> >there are often several issued in a day as new vulnerabilities are found.
>>
>> Yes. I'm on Microsoft's security alert mailing list, and some other
>> bug-tracking lists. The number of security alerts would definitely be a
>> factor in the decision.
>
>Security *alerts* should not be an issue at all unless they are coming out
>very late from the official channels.
>
>What you need to be concerned about is the delay between the discovery of
>a security bug and the release of a patch that fixes it - without fubaring
>anything else you depend upon.

That's why I am on multiple lists, not just Microsoft's.

One of the things that is very difficult to get over to management is 
that in general support is much better for Linux than it is for Windows. 
The delay between a bug being found and fixed is generally shorter for 
Linux apps.

Microsoft have now announced that they will only be sending out security 
patches once a month. I can see that this might sound like a good idea, 
it makes patching simpler. I'm reminded of Einstein's exhortation to 
"make things as simple as possible, but no simpler." I want my security 
patches within one working day of the vulnerability becoming public 
knowledge. Of course I also want them to be thoroughly tested.



-- 
Bernard Peek
London, UK. DBA, Manager, Trainer & Author. Will work for money.


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list