Slashdot Mirror
Windows Cheaper to Patch Than Open Source?
daria42 writes "Is Windows cheaper to patch than open source software? Of course this Microsoft-commissioned report thinks so - but a number of people disagree, including a key Novell Asia-Pac exec, Paul Kangro. Kangro highlights problems with the report including the fact that it refers to problems faced by administrators before 2003: before significant improvements were made to Linux patching tools. 'We didn't have tools like Xen for Linux then,' says Kangro. 'When I patch my Linux box I don't need to bring it up and down any number of times.' Kangro also points out the report doesn't mention costs associated with rebooting systems after a patch is applied."
IIRC, this is one of the things Microsoft is working on for Longhorn, being able to patch and install drivers "on the fly" without a reboot.
With XP SP2, if you enable the automatic downloading of updates, it will restart the computer automatically after teh updates are installed, unless you continuously click cancel when it comes up every 5 minutes. If your not at the computer, but have web downloads going on and it does this, it can be a real pain.
Free MacMini
I may be a bit green to the corporate methods of updating a production OS, but I would think that the process would have to be the same. You have to set up a test environmnet, ensure that the updates produce the necessary results. Then you have to test to make suer that no other software/productivity is affected. Then you have to compare baselines. Regardless of the beginning OS, these steps are necessary.
I can see two potential differences between Windows and Linux on this front, though, and they both seem to favor Linux. First, you don't have to buy a second license to run the test server. I would assume you can get away with this in Windows by not activating the product, but I could see some test phases taking over 30 days. Second, since you basically know excatly what you are updating in Linux, and what other packages are dependant on what you are updating, your testing phase can be more focused. This isn't to say that it would take less time, but rather that you know what is prima facie in the testing order.
So corporate sysadmin geeks out here... where is the advantage in this area to using either os?
"Kangro also points out the report doesn't mention costs associated with rebooting systems after a patch is applied."
This is a really underated cost that not many people include or even consider. The environment I work in has a few thousand servers and 130K desktops; all running a mix of 2K, 2003, XP - and other Windows flavors. (Like that's my choice).
The reboots after patching are a major pain, everything needs to be checked and always, and I mean ALWAYS, some servers will fail to come back up.
It's costly stuff...
I wouldn't be too sure about that; I just installed Xen on a box this past week, and the testing branch has been remarkably stable. Have you actually used Xen? That said, I like to think that the poster's larger point is that virtualization technology and its implementations - in VMWare, Xen, etc. have made patch management easier to manage, especially with all of the work going on in migrating apps and OSes. That, to me, will be the real benefit of such work.
The Norton Anthology of English Literature, 4th Ed., Vol 2
Patching open source is easy and does not need to be done as often
:)
This isn't always true!
1. If you are actually using the fact that some package is open source and run a modified source tree you need someone to maintain that tree for you. You may have to fuss with patches, especially if large or if they affect areas you have customized.
2. Depending on your package patches come willy nilly, with no co-ordination. MS releases patches the second Tuesday of every month. This actually allows some type of planning.
3. Depending on your package patches may come in series: three patches in three days, for example. I have never figured this out, but its almost like the attitude is, "well, while we are here". Additionally, you have products that are in "heavy development" with pretty serious point releases weekly or monthly. This really sucks if you are working against product. Do you wait and just upgrade once a year or every two years, or do you keep on the treadmill? MS has one good thing going for it, in that for example I installed some Win2k Servers in mid 1999 that are still on the same OS install almost 6 years later. I installed some RedHat servers at the same time, and well needless to say, I've upgraded from RedHat 5.x a number of times since
4. Patches for Linux, like Windows, still need to be tested in a production environment. Especially if you are running from a largely source built system. I admin a heavily customized web server that was built almost entirely from source, and I can very rarely do a simple "make && make install", let alone install a binary RPM. As long as there is that uncertainity, it has to be tested if you are running real IT shop.
MS is really starting to get its act together on some things, and patching is one of them. The balance with patching is the overhead versus the urgency. The OSS crowd generally see's every patch as urgent, and it reflects in the release schedule. MS generally sees few patches as urgent, and it also shows.
Well, lets look at the facts:
@ Both Linux and Windows can be easily configured to auto-update patches.
@ Windows patches are smaller (binary diffs as opposed to full updated packages).
@ However, there are more critical updates to Windows.
@ Windows has SUS, whereas Linux doesn't seem (excuse me if I'm wrong) to have any kind of distributed patch management for large businesses.
If bandwidth costs (it does), it could well be that Windows easily has less data to transfer for large organisations.
If we're talking about uptime then yes, Linux will be more "cheaper" (better uptime, minimal loss of business) in this respect.
I don't see how Windows can be cheaper from a compute cycle standpoint. You lose compute cycles during patches on all systems, it's just with Linux, you lose WAY less. You don't have to reboot. All you have to do is bounce services and your up and going. Microsoft just tells you to reboot because of the nutso way they run things. Even on Windows, you can do things to make reboots unnecessary.
Gorkman
I think Kangro was referring to more than lost business but also lost productivity.
In the case of desktops, it's going to be lost productivity. Sure you can schedule them to update and reboot in the middle of the night, but what if the user was working on something? The admins have to spend some time planning and scheduling mass updates or leave it to the user. It's trivial to reboot; it's harder to schedule for many machines so that productivity is minimally affected.
Also your argument only applies to mission critical or production machines. It does not include any development and/or testing machines that may not have a backup. Many organizations do not have the money to have a backup for every non-essential machine.
Our company is installing a new enterprise application. Every time we are rebooting the test servers, our consultants and employees are not working on the app. With new system setups, rebooting a lot is not uncommon.
Well, there's spam egg sausage and spam, that's not got much spam in it.
You imply that patching unix boxes does not have any service downtime. Particularlly with Java shit, it can take a while to bring a service back up, and that means you need the redundancy.
Well, this might be true if you consider just the operating system itself, but it doubt even this. For the begining, let's consider the following : 1). The bare OS (be it linux at a minimal install or windoes) it's mostly unusable except for browsing the web, writing things in notepad or wordpad and a few other minor things. In the real world there are a lot other things you install, from movie players, codecs to complex applications like IDE's, Office suites or business applications. In the end a typical workstation has a bunch of applications NOT included in the OS itself (I'm talking about windows here). 2). Second, Microsoft has the bad habit of counting all applications in a distribution when counting vulnerabilities, so than they can say "look, redhat had 50 security bugs this year, we had only 5". Well, let's take it the microsoft way, and consider all the applications in a distribution. Now, in the linux world a lot of applications are open source and/or supported with patches directly by the vendor (Redhat/Novell-Suse/Debian/Ubuntu,etc). In the windows world on the other hand the whole bunch of installed applications are not controlled by anyone. So, let's consider that 5 of the applications on the system need update (firefox,one office suite, and other applications). The linux way : The distro's update manager signals you that 5 security updates need to be installed. You click on the alert or manually open a terminal and run apt-get upgrade or yum update,etc and you have the system up to date again. The windows way : You go windowsupdate.com where a patch for the kernel is downloaded to prevent a a newly discovered DoS attack, then you launch mozilla firefox, where mozilla firefox's own update manager alerts you that you have to update the browser, then you go to officeupdate and update the office suite, and then you check the following app and learn that you have to download and install the patch manually, and so on for all the 5 apps. No think what happens when there are 20 or more apps to be checked, INCLUDING various supporting libraries that cannot be easily checked automatically and you have to check them one by one and patch them one by one. In the linux world the package manager updates almost anything for you in one move.(With some exceptions, of course). In the windows world, that has not a real update manager/supervisor for the whole list of installed applications, you have to do the updates one by one, by hand because there is no unified windows update manager. So... what way is simpler ? After all, it all comes to the the time required to mantain an IT infrastructure up to date, and windows falls short on this one. And we all know that time is money, right ?
Another factor tht's not considered is that with FOSS products you are free to write your own patch system if you don't find any that meet your needs. With windows you're stuck with what they offer.
GETPKG - Package Management for Slackware
In a corporate environment (or your home for that matter) you can set WinXP to have automatic updates, install automatically and restart the PC in the middle of the nigh if needed. Combine this with a product like Norton Internet Security that handles viruses and spyware, updating for both at night and running automatically and install firefox and you now have Windows system that the average user can use without maintenance for a year at a time. Linux may match one day but there is no way right now for the typical PC user, home or office.
OK, well here's a dolt and this issue comes at a perfect time.
I have two Red Hat 9 desktops that I would like to upgrade to Fedora 3. Today. Both are running Win4Lin and I want nVidia video acceleration.
I've downloaded "How to Install Win4Lin on FC3" from a Google search. Prints out to about 2-1/2 pp of 10 point on kernel recompile (and more pages on blog follow-up issues).
But nVidia acceleration is also a patch. But, but, but..... It is my understanding that you don't patch a patched kernel because the patch assumes it is being applied to an unpatched kernel and the patch won't patch. Tried it once on nVidia "custom" install with a Fedora Core 1 Win4Lin patched kernel and the nVidia splash came up, the background came up -- and it locked.
So, undolt me. How do I get the functionality of _multi_-patching linux kernels?
Make sure it is simple. Remember, I'm a dolt.
I'll check back.
What seems to work for me in that instance is leaving the dialog open, but dragging it nearly entirely off screen.
You know what bugs the fuck out of me? Windows XP changing the behaviour of the "turn off" option to "download updates". The rare times I actually do boot into Windows only serves as a reminder of why I don't like doing it.
In the average lifetime a Windows user is able to apply 42,195 patches, counting updates for AVG, Spybot, AdAware, etc, and reapplying patches when the OS requires reinstallation. The average Linux user applies only 224 patches in the same number of years. If that isn't proof that Windows is easier patch, I don't know what is.
for a in `cat machine-list.txt`
do ssh "root@$a" apt-get update
done
How hard is that?
LedgerSMB: Open source Accounting/ERP
Erm, I think that it is you who might need to check :) Iana isn't down. The IP address of www.iana.org is 192.0.34.162 - I suspect that you have an interface configured with 192.168.0.2 netmask 255.0.0.0 or something like that. Or a dodgy route.
Get your own free personal location tracker