steve at bluehost.com
Tue Nov 16 13:31:05 MST 2010
On 11/16/10 1:19 PM, Jeff Schroeder wrote:
>> Security is way too big a concern for us, even in closed off
>> environments. You do know that the linux kernel has had a butt-load
>> of root level exploits in the past year, much less multiple years?
> I hear that and agree with it. But when you're hosting a dedicated
> server for a client and that client has absolutely forbidden that the
> server be taken offline-- even for security updates-- what do you do?
> I made the argument, explained the risks involved, and was told that
> the priority is to keep the server up and available.
> After a while you pass a point of no return-- the software on the server
> is so out of date that upgrading it to the latest security patches
> means changing a hundred packages on the server. And that means
> downtime and (much more problematic) software on the server that no
> longer works because it was built years ago atop certain libraries that
> no longer exist because they've been upgraded.
> It's a tough place to be. The client pays me to keep the server running
> and not patched, and they're aware of the risks, so I do it.
> It's still cool to see something run for four or five years straight
> though. :)
Totally cool to have an uptime that long, I agree, but I have been down
the path of pain and futility that you describe, and in the long run, it
is bad for EVERYONE in the data center when it gets compromised (not if,
but when). I stand firm in the policy that I won't have a server that
is not routinely patched. They can find another location if that is
their attitude, because a compromise costs a lot of people a lot of
money, and patching vulnerabilities is so simple an issue to avoid.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5146 bytes
Desc: S/MIME Cryptographic Signature
Url : http://plug.org/pipermail/plug/attachments/20101116/e89368ae/attachment-0001.bin
More information about the PLUG