[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RaQ patching and security
- Subject: Re: [cobalt-security] RaQ patching and security
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Thu, 21 Mar 2002 20:13:46 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi John,
I avoided to post on this topic so far, but you make some very good and valid
comments.
> Cobalts packages should, of course, be given precedence.
> Pkgmaster.com was started by Cobalt and ex-cobalt support techs, wasn't
> it? In my practical experience, this conversation about 'voiding your
> warranty by patching for vulnerabilities,' is odd and from my experience
> with Cobalt or Sun support moot.
That's one of the most true and saddest point so far, isn't it?
If there are vulnerabilities which affect the Cobalt plattform and pose a
threat to those who have to trust their mission critical data to it, then
there must be officially supported vendor patches. Period. One might argue
about when those patches have to be available, but not about the *if*.
Also, it somehow can't be that we have have to install an unsupported patch
to get rid of the older PHP-4 versions which are still on the stock RaQ4. Or
the one that is on the XTR for which no patch is available. Not even an
unsupported one.
Furthermore I find it hillarious that SUN/Cobalt itself recognizes how bad
the bind-8.2.2 vulnerability has hurt it as a company, but still ships all
new RaQ4's with the vulnerable bind-8.2.2 aboard. Not even the OS restore CDs
have been updated.
How many customers are actually aware that this ready to run, fire up and
forget server appliances need half a dozend of patches to be anywhere near
(but actually quite short of) modern security standards? Not many from my
experience.
SUN radically shifted its focus from bashing or outright ignoring Linux over
to (allegedly) fully supporting it with all it's corporate weight. I still
remeber the confusion in the SUN office where I was working at that time,
when Scott McNealy broke the news on SUN-TV. And I remember an after hours
conversation with a few die hard Sunny's who suddenly wanted to know what
"that Linux thingy" actually is about. One of 'em even borrowed my SuSE CD's
to take a look. ;o)
So while the need to change the focus towards Linux has been recognized in
the uppermost levels of the SUN management, it'll take ages 'til this
trickles down to the usual rank and file we might happen to run into.
Without doubt: If anyone at SUN has hands on Linux experience, then the guys
of the Cobalt division. However, just look up Ed Zanders recent "A closer
look at Linux" over here:http://www.sun.com/2002-0319/feature/ and you'll
notice that Cobalt is listed in the section "Some of Sun's products that
support Linux include:" almost at the very bottom. It looks like this was
added almost like an afterthought. Draw your own conclusions on that one.
;o)
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer