On Tuesday 16 May 2006 01:43, Sandro guly Zaccarini wrote:
> On Tue, May 16, 2006 at 10:20:45AM +0000, Steffen Wendzel wrote:
> openbsd team work with security in mind.
> automagically-download-patch-install-upgrade is NOT security. if you
> have 1/2 systems, you do not need no automation. if you have a lot of,
> you can waste a couple of minutes to install a build-my-binary-patch
> box.
> this is insane, think about what will your boss do if your automagical
> upgrade broke your mysql (like debian does). think about it a while.

For a good example of what it takes to do a quality patching system, look at
Redhat. Look at all the aspects of their system (from up2date or yum) to
their package manager (rpm with GPG signed packages for integrity) to their
patching policy (back-patching security problems for the lifetime of the
distribution release, 7 years).

IMHO, that's what it takes for a real secure enterprise level patching system,
and I doubt the openbsd developers would want to develop anything less
secure, and I doubt they have the resources to implement something equivalent
to this anytime soon. Mainly because of the back-patching. The rest is easy
to implement or build, but the back-patching is very resource intensive.

--
- Kevan Benson
- A-1 Networks
- 707-570-2021 x202