On Wed, Oct 22, 2003 at 10:17:29AM -0700, Jeff Lasman wrote: > You make some great points, Bill. But as a small business man I can't > take the time update or to back out updates daily. Or even weekly, or > monthly, or quarterly, or annually. I need a server platform I can > leave (with only security updates) for at least four years. I never meant to suggest that production machines should be upgraded willy-nilly. Of course not. Rather, I was countering the idea that FC1 Test was somehow wildly unstable. As to security updates for four years, I understand your reluctance to use RHEL because of price sensitivity. But Red Hat suffers from price sensitivity too -- they need to pay people to backport and QA patches. That involves personnel, equipment, and cycles. Hardware compatibility evolves, and so it is necessary to keep around hardware that was in the HCL for that release. (E.g., 440GX mobos, sold in large quantities by VA Linux and others, have broken APIC behavior.) It may be that others can provide this service for less money. This issue has been rehashed repeatedly on this list. I'd suggest that if $100K/yr to hire someone to do maintenance on your systems, including patching and backporting, is too high, then hosting providers like yourself need to pool your resources to hire folks to do the work or divide it amongst yourselves. The Fedora Project is a natural rendezvous point, and one would assume that with a bit of coordination, the task of keeping the major server applications secure could be divided among a relatively small group, with individuals with expertise in a particular app, say Apache or MySQL, taking on maintenance of that package. Patching is occasionally difficult, but the vast majority of security fixes are simple backports. The greatest difficulties are when (1) the upstream app is no longer vulnerable, due to extensive changes, hence there is nothing to backport, and (2) kernel patching, due to the heavily patched kernels in common use. One of the goals of Fedora core is to keep the kernel closer to mainline, and that may help. Security-related backported patches also tend to show up in Debian stable, so it is often possible to patch an app about which one has little clue. If you (or your customers) want *guarantees* regarding security updates, it is going to cost you money; there is no simple way around that. Regards, Bill Rugolsky
