Thread: Rate of Critical/Security Patches
View Single Post

  #3 (permalink)  
Old 12-28-2004
Douglas Siebert
 
Posts: n/a
Default Re: Rate of Critical/Security Patches
"Bryan Brock" <bbrock@gmail.com> writes:

>> Can anyone here point me to a site for reliable unbiased
>> patching rate for SuSE Enterprise Linux, HP-UX, AIX and
>> Windows Server?

>Sounds like you're concerned with patches/time or critical patches/time
>that would need to be done by someone on site.

>I don't know of any site that has information on that, but if patching
>rate = the number of patches released by a vendor over time, then it
>should be possible to calculate it based on the dates of the last few
>patch bundles for a target OS and the number of patches in each patch
>bundle.

>If you are looking for number of critical patches/month, you could do
>something like this:

>1. Download all the latest patch bundles for an OS.

>2. Use a patch utility to count the patches and extract their dates.
>If that's not possible, you could go to the vendor's patch site, count
>the patches there, and try to find an associated date for each patch or
>bundle on the site.

>SLES patch dates:
>rpm -q -a -P --info | grep "Build Date:"

>HP-UX patch dates:
>swlist -d -a readme -l patch @
>/usr/local/adm/GOLDQPK11i_B.11.11.0406.5.depot | grep 'Creation'


The date of "Creation" or "Build" often has nothing to do with when the
patch comes out. And you are looking at a quality pack, which is released
on a schedule, so you know how many of those there are for HP-UX. It is
somewhere in between Microsoft's monthly patch bundles that collect a
dozen or more patches, and a service pack that collects hundreds (except
HP releases all the component patches separately so you don't have to wait
if you need one right away) When you look at Linux you have to realize
that SuSE and Redhat include about 5GB of stuff, so the patch totals for
Linux are misleading because patches for some obscure version of a CD
burning app that is only exploitable by a local user isn't really
something you care about on a server -- but Microsoft will still count
against Linux when they want to claim how it has more security problems
than Windows)

I don't think the OP is even asking the right question. What he really
wants are servers that can be administrated remotely in large numbers
without undue effort. Most people would agree that eliminates Windows,
but between Linux, HP-UX and AIX they'd be on roughly equal footing. Once
you have your scripts set up, it isn't really any harder to patch 2000
servers than it is to patch 20.

--
Douglas Siebert dsiebert@excisethis.khamsin.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety" -- Thomas Jefferson
Reply With Quote