[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: Why is there no Apache security update for RAQ3?
- Subject: [cobalt-security] Re: Why is there no Apache security update for RAQ3?
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Thu, 21 Mar 2002 10:17:54 -0600
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Once upon a time, baltimoremd@xxxxxxxxxxxxxxx <baltimoremd@xxxxxxxxxxxxxxx> said:
> Do I have a bad feeling that the RaQ4 will be relegated to the same "Throw
> Away" status? Yes.
It should be obvious to everyone that the Cobalt/Sun upgrade path is to
throw away your hardware and buy a new box every year or two at most.
They have never had any software upgrade path for the RaQs. There was a
RaQ1 to RaQ2 upgrade, but it was a "wipe the disk and re-install", and
probably only offered because so many RaQ1 customers complained about
the poor quality of the system. The software updates available are just
bug fixes and a rare minor update, never any real feature upgrades.
Getting security fixes out of Cobalt has always been difficult at best;
I've seen several vulnerabilities go ignored until they were publicized
on BUGTRAQ (and then the "fix" was an unsupported hack that often broke
other things).
People have said "but it is an appliance." Okay, but I can still get
parts for my 10 year old appliances if they break. If there is a major
flaw discovered, there will be a recall issued. There are often
trade-in deals you can get on newer models. Cobalt sold a (sometimes
half-assed) solution with no future. Many of the new features in
various versions would have been trivial to back-port to existing
customers, but they won't, because their business model is apparently
built around a short life expectancy of their product. They _depend_ on
a quick obsolescence; they need everyone to buy new boxes on a regular
basis.
That may work for the business or small ISP that has one or two servers,
but it doesn't for larger installations with dozens or hundreds of
servers. We are not going to "forklift upgrade" our server farm on a
regular basis to get new software features.
Besides that, the hardware is cheap as well. We've got a guy spending
all morning today replacing fans again (we have a couple dozen failed at
the moment). He has to do this every two to three months. And the fans
are getting virtually impossible to come by (unless you want to buy a
whole crate). We used to be able to get them from Cobalt, but they
won't even return phone calls much of the time now.
That is why we're getting off the RaQ train. We're writing our own
system to replace our 100 RaQs (mix of 1s, 2s, 3s, and 4s). Once we've
got the basics set in a couple of months, we plan on making it avilable
under the GPL. We made our first order with Penguin Computing for a
quality server and have started development. The software will be able
to manage multiple servers natively (without having to buy another
server and software package), and our goal for version 1.0 is to replace
all the services that we use on the Cobalt RaQs and migrate all of our
RaQ hosted sites to our new system.
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.