[wplug] Whats an Installfest?

Patrick Wagstrom pwagstro at andrew.cmu.edu
Sun Sep 11 12:21:14 EDT 2005


> Last time I looked at Debian, I had a RedHat System with Kernel 2.4.18 
> and debian was offering a choice between 2.2.x and 2.4.9 (or something 
> ridiculous like that) Debian stable may be stable, but it's so old it 
> isn't secure at all.  I know, I know, a new stable just came out, and I 
> could just run testing, but Gentoo updates for security fixes as these 
> bugs happen, and I can have it all up to date the day after a new 
> security hole is announced. Love my gentoo, I'll never change.

"It's so old it isn't secure at all."

You kids today crack me up.  You really should learn something about
security, or at the very least the way that Debian handles security.
It's FAR more likely that by running bleeding edge stuff you're
introducing yourself to security holes than by running older stuff.
Debian also has a security archive that is updated when things need
patching; apt-get will automagically pull down the new archives.

Next thing you're going to be telling me is that by running OpenBSD 3.2
on my server, which was released in November 2002, I'm less secure than
running Gentoo updated to the latest minute.  See, in the older stuff
people have had a chance to test it and look at it, and see if there are
problems.  If there are, they get patched and you pull down the patches.

Now now, I see that you say that you have your system patched the day
after the hole is announced, good for you in being a good netizen.  But
what you're missing is that it is running newer stuff that opens up
those holes in the first place.

Just something to ruminate about.

--Patrick

PS. In the six years I've been running OpenBSD, I've had to patch my
servers 1 time for a remotely exploitable root hole.  The hole only
affected versions 3.0 and up.  My OpenBSD 2.7 box is still chugging
along, secure as the day I installed it.



More information about the wplug mailing list