From owner-freebsd-security Thu Apr 18 18:23:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id 668A937B41C for ; Thu, 18 Apr 2002 18:23:41 -0700 (PDT) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g3J1LjC38968; Thu, 18 Apr 2002 18:21:45 -0700 (PDT) (envelope-from roo) Date: Thu, 18 Apr 2002 18:21:45 -0700 From: Benjamin Krueger To: Nate Williams Cc: Benjamin Krueger , Jeff Palmer , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418182145.G23267@rain.macguire.net> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> <15551.27877.743534.149538@caddis.yogotech.com> <20020418180846.F23267@rain.macguire.net> <15551.28438.662471.593081@caddis.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15551.28438.662471.593081@caddis.yogotech.com>; from nate@yogotech.com on Thu, Apr 18, 2002 at 07:12:54PM -0600 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Nate Williams (nate@yogotech.com) [020418 18:12]: > > > > FreeBSD currently does not enable easy maintainance between critical release > > > > points for large server environments. Using cvsup to maintain source builds > > > > for environments like these ( say 400 servers or more ) is not only > > > > unacceptable without an on staff developer and release engineer, it is > > > > infeasible. > > > > > > > > For those of you who would be quick to note that "Corporations with > > > > 400 servers should be able to afford a developer and release engineer" > > > > please note that 400 NT, Solaris, AIX, or HP-UX servers can be > > > > maintained by a small team of administrators, and do not require these > > > > extra resources. > > > > > > So, for 400 NT, Solaris, AIX, or HP-UX servers you allow a small team, > > > and for FreeBSD you don't even allow a single engineer? Seems kind of a > > > double standard. > > > > > > And as a long-time administrator, I disagree that FreeBSD is more > > > difficult to maintain releases across systems. I've done Ultrix, SunOS, > > > Solaris, FreeBSD, and (ack!) Linux, and I find that FreeBSD is second to > > > Solaris, but barely so. > > > > > > However, Solaris doesn't even provide anything remotely close to what > > > Brett is asking, and they're getting paid alot for the OS than FreeBSD > > > is getting paid. > > > > > > Nate > > > > I think you misunderstood. I meant you don't need release engineers for > > any of the above, only FreeBSD. FreeBSD might be great, but it doesn't admin > > itself yet. ;) Consider 4 sysadmins, and 2 release engineers for FreeBSD, as > > opposed to just 4 sysadmins for NT / Solaris / AIX / HP-UX. > > Call it what you like, but I consider preparing/testing a release for > our configuration part of the 'sysadmin' job. Certainly the IS staff at > my company does hardware/software verification as part of their job, on > *all* platforms (including Win98/NT/Win2K/WinME/XP, along with all of > the *nix variants). > > If it makes you feel better, use the title 'release engineer', but the > staff of 4 people should be more than adequate to do all of the tasks > necessary to support your installations, regardless of whether FreeBSD > is used or not. > > > Nate That is very convenient, but I wouldn't call it realistic. We're talking about more than just verification here. We're talking about building and testing an entire OS from source, and then distributing it among a large number of machines. While I'm sure most sysadmins would like to fancy themselves superpeople (I would!), most of us aren't. ;) The point here is that release engineering is very much a larger task than using release patches. With a large server farm, you are going to have lots of reasons to have folks soley dedicated to just this task. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message