Submitted by “When choosing an operating system for use in your enterprise, you need to look beyond the security capabilities ‘on the box’ and think about how the OS really affects you over the long haul. You need to be prepared for the patching, upgrading, and maintenance issues each OS has and understand how these activities affect your security and availability.”
More of an overview than an in-depth treatment. The last paragraph in the article is the most important, but one likely to be overlooked.
Reading through comparing development models, and voila… Linux has a bad development model but still he recommends it for most with reservations?
ODD! Especially since he said nothing bad about FreeBSD in this concern…
linux distroibutions are more secure in a business environment. why? because it is easier to patch/update than any of the BSD system – sure, openbsd may have less securrity flaws – but when they do – its much easier to update linux distributions.
and remember – its not just the OS you’re using – its the applications on top of that.
Easier? Are you kidding me?
can you motivate this by anything remotely intelligent?
Easier to update than Linux? Here are the steps for FreeBSD:
# CVS Kernel source
# make buildworld
# make buildkernel
# make installkernel
# reboot
# mergemaster -p
# make installworld
# mergemaster
# reboot
This is all that it takes to download new source and recomile the kernel. There are few bianry methods of updating the kernel as well. Some of the binary (if not al) also support a graphical interface. Now the above process covers the kernel, base and userland utilities.
No in regards to the applications:
# CVS
# Build index (not sure about the 5.x branch)
# Compile application
Now in regards to compiling the application; you actually have a config file that you can set up so that it will maintain all your compile options for every application. Once its set; its set. If you want to upgrade your applications; you can use portupgrade (aka one command).
As for the other BSD’s; there are some automated tools that work with the config files; aka they don’t use mergemaster (from what I remember).
So you have the source and binary way to patch your kernel and tools. You also have an easy way to install applications as well as upgrading them.
I hope that hope that some (Open, Net, DF) BSD users can correct me on how easy it is to patch their systems; as well as install and upgrade applications.
PS: forgot to mention that I am a FreeBSD and Debain user. And yes; Debian also makes it easy as well.
PSS: Just trying to point out that both can be upgraded. Just trying to dispell some *bsd myths. Thats all.
“PSS: Just trying to point out that both can be upgraded. Just trying to dispell some *bsd myths. Thats all.”
Opps. Type-O. Should have been:
“Just trying to point out that both can be easily upgraded. Just trying to dispell some *bsd myths. Thats all.”
Is there an easier way?
With arch-linux, all you have to do is:
#pacman -Syu
and your entire system is up to date.
Although, I think your method updates using source, and arch-linux method uses binary so not really comparible.
I was thinking of trying FreeBSD6 on my laptop when it comes out, but it seems a bit too different than what I’m used to 🙁
“Easier to update than Linux? Here are the steps for FreeBSD:”
Dude, you’re recompiling your entire system in your listed steps. Do you really think Enterprise administrators are going to want to recompile their kernel, base libraries and executables every time there is an apache vulnerability? Your example takes at least an hour and requires a reboot. “rpm -Uvh apache.rpm” takes a few seconds and requires only one service to be restarted.
“Easier to update than Linux? Here are the steps for FreeBSD:”
Dude, you’re recompiling your entire system in your listed steps. Do you really think Enterprise administrators are going to want to recompile their kernel, base libraries and executables every time there is an apache vulnerability? Your example takes at least an hour and requires a reboot. “rpm -Uvh apache.rpm” takes a few seconds and requires only one service to be restarted.
You’re comparing patching a security hole in the kernel / OS, with updating an application … very different beasts.
To update an application in FreeBSD you either use the ports tree or the package tools, depending on if you want to compile the app yourself or not.
To update Apache on FreeBSD using the ports tree requires:
1. cvsup the ports tree
2. fetch the new index (make fetchindex)
3. run portupgrade to automate downloading the new sources, compiling the new version, uninstalling the old version, and installing the new version
4. restart Apache
To update Apache on FreeBSD using the pkg tools requires:
1. run portupgrade with -P or -PP to automate downloading the new binary package, uninstalling the old version, and installing the new version
2. restart apache
Something I’ve never liked about Linux distributions is that there is no clear delineation between what is the OS and what are the apps runing on top. Since every little command on the system is packaged and managed through the same package manager as the apps, everything is all intermingled. How do you update just the base OS services, without updating your apps (like Apache, Postfix, MySQL, KDE, etc)? Why is everything installed into /usr?
The nice thing about the BSDs is that you know what’s part of the base OS (/ and /usr), and you know what’s been installed on top (/usr/local and similar). You know that you can update the base OS independent of the applications, and vice versa.
Show me a Linux distro that has the concept of a BASE OS that can be upgraded / patched completely independent of the apps running on top, and you’ll make a lot of IT people very happy.
Dude,
I am sorry to say. You don’t know what are you talking about. When it comes to compiling the kernals, you have to reboot the server in order to boot into the new kernal.
And for your info, FreeBSD is one of the oldest and most respected Free Open Source Operating System. Besides RPM -uvh method u mentioned is so damn dependency ridden, I would never want to work with RPMs unless forced. That’s all from me.
Actually, OpenBSD is one of the most simple systems to patch. Take a look at http://www.openbsd.org/errata37.html and view the instructions in each patch to see what I mean. Far more simple than patching FreeBSD. Second, out of the hundreds of security updates to OpenBSD, only one in 8 years allowed root access. How many has linux had in the past 8 years, even with it’s “simple” patching system?
I might be the odd type, but I find updating OpenBSD extremely easy. Update your cvs tree, then compile and install kernel/userland/X/ports, then merge changes from configuration files and make devices. Only Gentoo Linux makes it easier with portage.
You want it even easier? Look at ‘man release’; set up a build-machine and automate every step in a small shellscript, and it will automagically produce a custom-tailored install-medium of your choiche (CD, ramdiskkernel to PXE-boot, whatever) that will deploy your customized OS without any hassle.
Then again, for an enterprise it probably *is* more easily to have a binary-update mechanism that works à la Windows-update; but this doesn’t give you a clean OS from scratch.
As always, it solely depends on the capabilities of the administrator in charge.
I was going to say this too. OpenBSD is by far the easiest system to patch of any I’ve used. The security advisories are easy to find, well described, and even doing patches manually is really easy.
Uh, no.
The easiest system to keep updated, with patches, security updates, and kernel updates, is Debian. It is the most stable and secure system for the enterprise.
apt-get update
apt-get dist-upgrade
Done. You can also upgrade only certain packages. Also, Debian does not make changes to config files where you have made changes from the package maintainer version (and stops, and asks you how you want to proceed).
There isn’t a better enterprise OS. Fact.
Funny that the article failed to mention an open OS whose primary concern is security. Also it seemed to concentrate mostly on the update managment aspect of the systems.
the title should be “Selecting a Cheap Enterprise OS”
if you need a secure os, use open-vms
I agree, this OS is one of the most secure operating systeims in the world. It is widely deployed, scalable, and is continuing to grow. HP pissed away a software gem when they acquired Compaq. Had they marketed OpenVMS more than HP-UX, OpenVMS may have had a commanding share of the operating system market. DCL is probably they biggest hurdle to get users to use OpenVMS, but in time OpenVMS will provide a full POSIX-like interface so application developers can take advantage of their huge install base.
linux distroibutions are more secure in a business environment. why? because it is easier to patch/update than any of the BSD system – sure, openbsd may have less securrity flaws – but when they do – its much easier to update linux distributions.
You are _so_ clueless. Please talk if you know what you say otherwise please shut up. It’s garbidge. Ok, here how to update FreeBSD from kernel to userland to 3rd party:
cvsup /path/to/standard-supfile ; mergemaster -p ; cd /usr/src ; make buildworld ; make buildkernel KERNCONF=YOURKERNEL ; make installkernel KERNCONF=YOURKERNEL ; make installworld ; mergemaster ; portsnap fetch ; portsnap update ; portupgrade -a
Have you ever seen it done that easy? Not even in Windows. In Windows people need to find the updates on different sites all over the internet. So next time you wine, first try then talk. Cheers!
Do you really think Enterprise administrators are going to want to recompile their kernel, base libraries and executables every time there is an apache vulnerability?
As mentioned in my post above.. 3rd party software can be updated with “portsnap fetch ; portsnap update ; portupgrade -a”. Again you don’t read and have no clue where you are talking about.
You don’t need to buildworld on all the machines. Set up a build machine and NFS mount /usr/src and /usr/obj on all the other clients. Then one simply runs buildworld once on the build machine and installworld on the clients.
Ports can be done in a similar fashion.
Ports can be done in a similar fashion.
Don’t bother trying to use NFS to share out a central ports tree. Not worth the hassle when you try to update a single program across a dozen+ systems, at the same time.
Better solution: set up a central build system and build binary packages (make package instead of make install) which will all be put into /usr/ports/packages/All. NFS mount that directory to the other systems, and use portupgrade -PP to do the upgrade using your custom binary packages.
Readin through these posts I see some people talkin about compilation,make installs blah blah and other obscure tactics. Freebsd and OpenBSD users… what the hell r u talkin about? Same goes for the debian and gentoo and other desktop distros. We r talkin about enterprise systems. Have u ever worked in real life? Just install the damn Suse enter.Server and get done with it.Updates are automatically.Desktops? Opensuse.Just configure them to download the patches from the server. You are the funniest guys I ve seen! LOL
“I’ll just tell you upfront that I’m a FreeBSD zealot”
Yeah, that’s all you need to know. There are other OS’s out there that are more secure than BSD, Linux, and Windows, OpenVMS for one. Probably any of the good old IBM mainframe OS’s as well.
The preferred model’s by most OSNews visitors seem to be open sourced non-commercial products. And then they often cannot agree on which distro is better even between the BSD’s and Linux flavors. But they all agree that “open is better, choice is better”.