From owner-freebsd-security Thu Apr 18 16:43:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 9EDDD37B41B for ; Thu, 18 Apr 2002 16:43:36 -0700 (PDT) Received: (qmail 63068 invoked by uid 1000); 18 Apr 2002 23:43:51 -0000 Date: Fri, 19 Apr 2002 01:43:51 +0200 From: "Karsten W. Rohrbach" To: Benjamin Krueger Cc: Jeff Palmer , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419014351.M60925@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Benjamin Krueger , Jeff Palmer , freebsd-security@freebsd.org References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="L/bWm/e7/ricERqM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020418154338.D23267@rain.macguire.net>; from benjamin@macguire.net on Thu, Apr 18, 2002 at 03:43:38PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --L/bWm/e7/ricERqM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Benjamin Krueger(benjamin@macguire.net)@2002.04.18 15:43:38 +0000: > Like it or not, Brett has raised a concern which is entirely valid and ec= hoed > by many system administrators. ( I have a feeling the number is not small= ) but you are missing the point that _administrators_ have the option (and the knowledge) to upgrade from source, using a builder system, just like most freebsd admins with larger installations do. > FreeBSD currently does not enable easy maintainance between critical rele= ase > points for large server environments. Using cvsup to maintain source buil= ds > for environments like these ( say 400 servers or more ) is not only=20 > unacceptable without an on staff developer and release engineer, it is=20 > infeasible.=20 take your favourite spreadsheet and create a TCO estimate of administration and maintenance of - freebsd 4.x - linux (your "favourite" distro) - win32 including the points - system setup - first time installation of services - customer education (for them to be able to use the system) - maintaining system stability (sec updates, subsystem upgrades) and all that in an automatic or semi-automatic manner with maint contracts running 1 or 2 years. at my previous employer we had 1000+ customer boxes out there, some with maintenance contracts, and freebsd turned out to be the most performant, most stable and cheapest solution. i would be delighted to see the numbers you get under the bottom line for TCO of the three platforms. > For those of you who would be quick to note that "Corporations with 400= =20 > servers should be able to afford a developer and release engineer" please= =20 > note that 400 NT, Solaris, AIX, or HP-UX servers can be maintained by a s= mall=20 ^^^^^^ ^= ^^^^ > team of administrators, and do not require these extra resources. If you = can=20 ^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^ so, money is not a resource at your site? freebsd is an os, _freely available_, running on _darn cheap_ hardware. your comparison lacks a bit of realism here, at least from the european point of view of the software/hardware prices of the vendors mentioned above. btw, i'd also like to have some of the stuff you smoke over there ;-) > still convince them to go with FreeBSD despite the extra salaries and > resources instead of the ease ( and insurance ) of buying a support contr= act > from the vendor, I commend you. Marketing is not my gig. >=20 > Nobody expects a new system to replace the current and trustworthy cvsup > method. By the same token, nobody expects The Project to support every > possible hardware/software configuration out there. On the flip side, Fre= eBSD > is not like NetBSD or Linux in that we don't support 40 architectures, an= d a > few household appliances.=20 nevertheless, release engineering for RELENG_4_X (X!=3D5) turned out to be pretty perfect for an opensource os, from my point of view. > Currently, we have 2 major architectures spanning 3 processors. Intel and= =20 > AMD processors on the PC, and Alpha. Sparc and IA64 may be considerations= in=20 > the future. For now, any patches or builds of this nature could very well= be=20 > limited to 3 supported base architectures. Typically, we have maybe 2 or 3 > critical releases of this nature per month. That comes to 3 builds three > times a month, not a considerable strain, for the benefit of releasing=20 > patches that folks will use. >=20 > I should like to note that this kind of system would be an excellent > opportunity for a FreeBSD support company to pick up some slack that perh= aps > The Project doesn't have the resources to cover. It could potentially be a > valuable service for customers and users alike. i agree partly. from my experience in the freebsd community there are quite some folks who _do_ release builds for internal use at their site. it would rather be a coordination effort to get one or more publicly available update releases available out there, if their employers would spend the resources on doing this. regards, /k --=20 > UNiX *IS* user friendly. It's just selective about who it's friends are. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --L/bWm/e7/ricERqM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8v1o3M0BPTilkv0YRAkU3AKCpxnKRnte3UjZqm175TfGA/v1lkACcDE98 Oq6dhNWKw6e97+2M8G7AaFc= =jocT -----END PGP SIGNATURE----- --L/bWm/e7/ricERqM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message