Slashdot Mirror
Windows Cheaper to Patch Than Open Source?
daria42 writes "Is Windows cheaper to patch than open source software? Of course this Microsoft-commissioned report thinks so - but a number of people disagree, including a key Novell Asia-Pac exec, Paul Kangro. Kangro highlights problems with the report including the fact that it refers to problems faced by administrators before 2003: before significant improvements were made to Linux patching tools. 'We didn't have tools like Xen for Linux then,' says Kangro. 'When I patch my Linux box I don't need to bring it up and down any number of times.' Kangro also points out the report doesn't mention costs associated with rebooting systems after a patch is applied."
It might be easier if you have no idea how to really use a computer, and are not willing to learn. Those people will never leave the "comfort" of a familiar thing. They fear change, especially when it forces them to actually think for themselves.
And they said zombies weren't real!
So microsoft says windows is cheaper to patch, whereas Novell (who own Suse) say linux is cheaper to patch.
Can someone tell me why this is news?
[...]problems with the report including the fact that it refers to problems faced by administrators before 2003: before significant improvements were made to Linux patching tools. 'We didn't have tools like Xen for Linux then,' [...]
Oh, come on. Practically speaking, we don't have Xen for Linux *now*. Sure it's cool and all (which is why it's slipped into this basically unrelated story) but it's not nearly ready for the Linux mainstream and I'd be surprised if more than a handful of people are using it heavily in production.
Every time I read about another "paid by Billy G" report it always reminds me of the joke.. How many Microsoft engineers does it take to change a lightbulb. None Microsoft defines darkness as the new standard..
Really? The 'apt-get update && apt-get upgrade' i did earlier today on my debian (testing) box took less than a minute, and isntalled not just the latest security patches but also the latest versions of all my software. That was pretty-much free.
Conversely, windows update only updates windows (not my other apps), and takes at least 15 minutes every time i run it.
...but only if you don't count the hours of lost or reduced productivity waiting for MS to get around to releasing their patches.
I didn't RTFA but any company that is going to lose more than a few pennies from a reboot is going to have redundant servers in place already. It is not difficult to stagger the application of patches to server machines in a farm, which all but eliminates the cost of a reboot.
Anything from Novell that is spoken against Microsoft is suspect anyway. I'm not a big Microsoft fan, but the animosity between the two companies is well documented.
Any company where the majority of the cost is in the patching process itself, rather than the testing of the patch, the secondary servers in the test lab that they can make sure it doesn't blow services up on, the payment of skilled people to identify the problems and fix them *when* they happen and various other people costs is of course going to be more expensive than "I set up windows updates once, so now it updates me magically whether I like it or not", even without the reboot thing.
There is also some really iffy logic in breaking down one single piece of the ownership cycle and claiming that it is cheaper and ignoring the rest. I tell you, paying for college for my persistently vegetative child is uber-cheap, I can't say enough for persistent vegetation...
IIRC, this is one of the things Microsoft is working on for Longhorn, being able to patch and install drivers "on the fly" without a reboot.
With XP SP2, if you enable the automatic downloading of updates, it will restart the computer automatically after teh updates are installed, unless you continuously click cancel when it comes up every 5 minutes. If your not at the computer, but have web downloads going on and it does this, it can be a real pain.
Free MacMini
The cost of rebooting on some machines is astronomical. I know we had some management software on a data line connected to the stock exchange. From the hours of 8-5 any downtime would cost over $10k/second, not to mention any lawsuits that could have been processed if someone lost money and couldn't sell their stocks when they wanted. On the other hand, most machines are not nearly that critical, and reboots can be done at off hours. I would say that Windows systems are less costly to patch for another reason. Almost anyone with technical ability can patch windows. You can hire windows admins on the cheap. To get Unix admins will cost more if you want someone that knows what they are doing. I wonder if they take the cost of knowledgable staff into the equation. Otherwise, the cost of patching for either can be huge or trivial depending on the patch and the situation. Also, Windows is a lot better now with the reboots. You don't have to reboot nearly as much as in the past.
/. ++
I may be a bit green to the corporate methods of updating a production OS, but I would think that the process would have to be the same. You have to set up a test environmnet, ensure that the updates produce the necessary results. Then you have to test to make suer that no other software/productivity is affected. Then you have to compare baselines. Regardless of the beginning OS, these steps are necessary.
I can see two potential differences between Windows and Linux on this front, though, and they both seem to favor Linux. First, you don't have to buy a second license to run the test server. I would assume you can get away with this in Windows by not activating the product, but I could see some test phases taking over 30 days. Second, since you basically know excatly what you are updating in Linux, and what other packages are dependant on what you are updating, your testing phase can be more focused. This isn't to say that it would take less time, but rather that you know what is prima facie in the testing order.
So corporate sysadmin geeks out here... where is the advantage in this area to using either os?
I just can't agree with that report. From 1999 to 2002 I did work for a datacentre with 150 Linux servers and 26 NT and then Windows 2000 server servers. Keeping figures on those I can say that the total downtime due to upgrades and patching for both groups in total was almost the same.
until recently, I was in charge for the Windows servers patching for a ~1000 units server farm, and all I can say is Microsoft sucks big time when it comes to fix high availability systems. I even developped in-house a patch management system because of the chronical unreliability of SMS for patch distribution. Comparing to a Linux based system using the simple APT, Microsoft is nowhere, useless, dangerous.
... all are great when you speak about gui, all sucks when you speak about efficiency. Not to mention the poor quality of M$ patches themselves: just have a look at the troubles a MS05-019 can provoke.
SUS, SMS, WUS,
Yeah, a good linux distribution wipes the floor whith the M$ patching goof.
Here's what else the Microsoft report found....
Linux will recalibrate your refrigerator's coolness setting so all your ice cream melts and milk curdles. It will demagnetize the strips on all your credit cards, reprogram your ATM access code, screw up the tracking on your VCR and use subspace field harmonics to scratch any CDs you try to play. It will give your ex-boy/girlfriend your new phone number. It will mix antifreeze into your fish tank. It will drink all your beer and leave its dirty socks on the coffee table when there's company coming over. It will hide your car keys when you are late for work and interfere with your car radio so that you hear only static while stuck in traffic. Linux will make you fall in love with a hardened pedophile. It will give you nightmares about circus midgets. It will replace your shampoo with Nair and your Nair with Rogaine, all while your current boy/girlfriend is dating behind your back and billing their hotel rendezvous to your Visa card. It will seduce your grandmother. It does not matter if she is dead, such is the power of Linux, it reaches out beyond the grave to sully those things we hold most dear. Linux will give you Dutch Elm disease. It will leave the toilet seat up and leave the hairdryer plugged in dangerously close to a full bathtub. It will remove the forbidden tags from your mattresses and pillows, and refill your skim milk with whole. It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve. These are just a few signs. Be afraid. Be very, very afraid. Windows is so much safer.
The weak spot in the credibility is always..."Microsoft commissioned report".
(Apologies to Laika)
"Kangro also points out the report doesn't mention costs associated with rebooting systems after a patch is applied."
This is a really underated cost that not many people include or even consider. The environment I work in has a few thousand servers and 130K desktops; all running a mix of 2K, 2003, XP - and other Windows flavors. (Like that's my choice).
The reboots after patching are a major pain, everything needs to be checked and always, and I mean ALWAYS, some servers will fail to come back up.
It's costly stuff...
How about desk-bound employees and their patches? Don't we count?
I use a lot of non-MSFT apps, and if one of them fails to work with the patched Windows system, I'm goung to lose a lot of time. I've already had one "security patch" to something do wierd things to my system, making it impossible for me to see the hard drive password prompt. Multiple that by every laptop in the company and you have a lot of support calls.
Another "security patch" seems to have hosed the network finder so that it can't automatically pick up a new IP address from the LAN. I have to manually change the settings and ..... guess what? REBOOT to force it to pick up the new IP address. Every time I have to log on from home, that's TWO reboots and two manual interventions to what should be automatically happening.
does windows have en equivalent? I think not.
James P. Barrett
We, Unixers, usually miss the point that, while we don't have to reboot the whole computer at each and every important patch, we have to bring services down and then back up when they are significantly patched. For a database server it's not the system uptime that counts - it's the database uptime. If it goes down, I could as well have rebooted the whole server - the phone will ring just the same.
While this is a whole lot better than Windows, they are getting closer.
And... Well... The fact it was paid by Microsoft says nothing about the report. I sure would like to see the other reports paid by Microsoft that say FOSS is cheaper, more reliable, more ethical and that are tucked away somewhere in a folder marked "secret"
http://www.dieblinkenlights.com
Patching open source is easy and does not need to be done as often
:)
This isn't always true!
1. If you are actually using the fact that some package is open source and run a modified source tree you need someone to maintain that tree for you. You may have to fuss with patches, especially if large or if they affect areas you have customized.
2. Depending on your package patches come willy nilly, with no co-ordination. MS releases patches the second Tuesday of every month. This actually allows some type of planning.
3. Depending on your package patches may come in series: three patches in three days, for example. I have never figured this out, but its almost like the attitude is, "well, while we are here". Additionally, you have products that are in "heavy development" with pretty serious point releases weekly or monthly. This really sucks if you are working against product. Do you wait and just upgrade once a year or every two years, or do you keep on the treadmill? MS has one good thing going for it, in that for example I installed some Win2k Servers in mid 1999 that are still on the same OS install almost 6 years later. I installed some RedHat servers at the same time, and well needless to say, I've upgraded from RedHat 5.x a number of times since
4. Patches for Linux, like Windows, still need to be tested in a production environment. Especially if you are running from a largely source built system. I admin a heavily customized web server that was built almost entirely from source, and I can very rarely do a simple "make && make install", let alone install a binary RPM. As long as there is that uncertainity, it has to be tested if you are running real IT shop.
MS is really starting to get its act together on some things, and patching is one of them. The balance with patching is the overhead versus the urgency. The OSS crowd generally see's every patch as urgent, and it reflects in the release schedule. MS generally sees few patches as urgent, and it also shows.
Well, lets look at the facts:
@ Both Linux and Windows can be easily configured to auto-update patches.
@ Windows patches are smaller (binary diffs as opposed to full updated packages).
@ However, there are more critical updates to Windows.
@ Windows has SUS, whereas Linux doesn't seem (excuse me if I'm wrong) to have any kind of distributed patch management for large businesses.
If bandwidth costs (it does), it could well be that Windows easily has less data to transfer for large organisations.
If we're talking about uptime then yes, Linux will be more "cheaper" (better uptime, minimal loss of business) in this respect.
I don't see how Windows can be cheaper from a compute cycle standpoint. You lose compute cycles during patches on all systems, it's just with Linux, you lose WAY less. You don't have to reboot. All you have to do is bounce services and your up and going. Microsoft just tells you to reboot because of the nutso way they run things. Even on Windows, you can do things to make reboots unnecessary.
Gorkman
When Microsoft continues to fund these highly biased reports and surveys, the Open Source community should be happy. It means that Microsoft considers Open Source to be a real competitor. In effect, Microsoft is doing more to validate Open Source and increase the visibility of Open Source than anyone could hope for.
I think Kangro was referring to more than lost business but also lost productivity.
In the case of desktops, it's going to be lost productivity. Sure you can schedule them to update and reboot in the middle of the night, but what if the user was working on something? The admins have to spend some time planning and scheduling mass updates or leave it to the user. It's trivial to reboot; it's harder to schedule for many machines so that productivity is minimally affected.
Also your argument only applies to mission critical or production machines. It does not include any development and/or testing machines that may not have a backup. Many organizations do not have the money to have a backup for every non-essential machine.
Our company is installing a new enterprise application. Every time we are rebooting the test servers, our consultants and employees are not working on the app. With new system setups, rebooting a lot is not uncommon.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Do you think that Novell's Kangro might have been talking about Novell Zenworks for linux?
http://www.novell.com/products/zenworks/
Sorry but this stuff is particularly trivial, patching 10, 100 or 1000 machines.
/afs/admin/scripts/patchme' >> /etc/crontab.master
e.g.
echo 'ALL:root: 15 18 * * *
Where the crontabs are centrally managed, patchme checks for resources, goes to sleep for a while, runs OS, platform and rev specific patch download and install subroutines which run yum update, apt-get update, patchadd, rpm -Uvh etc. Report progress to a central monitoring system like Big Brother or Zabbix as the patching process runs through the various stages.
Even talking about the cost of the patching process itself is missing the point. Anyone who has a lot of machines will already have a largely automated enterprise wide cross platform patching system in place. Applying a specific patch will be a case of dropping a pre-tested file into a directory on a file server. If you don't have such a system WTF are you doing wasting your time on Slashdot?
Deleted
Well, this might be true if you consider just the operating system itself, but it doubt even this. For the begining, let's consider the following : 1). The bare OS (be it linux at a minimal install or windoes) it's mostly unusable except for browsing the web, writing things in notepad or wordpad and a few other minor things. In the real world there are a lot other things you install, from movie players, codecs to complex applications like IDE's, Office suites or business applications. In the end a typical workstation has a bunch of applications NOT included in the OS itself (I'm talking about windows here). 2). Second, Microsoft has the bad habit of counting all applications in a distribution when counting vulnerabilities, so than they can say "look, redhat had 50 security bugs this year, we had only 5". Well, let's take it the microsoft way, and consider all the applications in a distribution. Now, in the linux world a lot of applications are open source and/or supported with patches directly by the vendor (Redhat/Novell-Suse/Debian/Ubuntu,etc). In the windows world on the other hand the whole bunch of installed applications are not controlled by anyone. So, let's consider that 5 of the applications on the system need update (firefox,one office suite, and other applications). The linux way : The distro's update manager signals you that 5 security updates need to be installed. You click on the alert or manually open a terminal and run apt-get upgrade or yum update,etc and you have the system up to date again. The windows way : You go windowsupdate.com where a patch for the kernel is downloaded to prevent a a newly discovered DoS attack, then you launch mozilla firefox, where mozilla firefox's own update manager alerts you that you have to update the browser, then you go to officeupdate and update the office suite, and then you check the following app and learn that you have to download and install the patch manually, and so on for all the 5 apps. No think what happens when there are 20 or more apps to be checked, INCLUDING various supporting libraries that cannot be easily checked automatically and you have to check them one by one and patch them one by one. In the linux world the package manager updates almost anything for you in one move.(With some exceptions, of course). In the windows world, that has not a real update manager/supervisor for the whole list of installed applications, you have to do the updates one by one, by hand because there is no unified windows update manager. So... what way is simpler ? After all, it all comes to the the time required to mantain an IT infrastructure up to date, and windows falls short on this one. And we all know that time is money, right ?
I wish I could mod this entire article (-1, Troll) -- it's like shooting fish in a barrel.
"How many light bulbs does it take to change a person?" --BMcC-->
Another factor tht's not considered is that with FOSS products you are free to write your own patch system if you don't find any that meet your needs. With windows you're stuck with what they offer.
GETPKG - Package Management for Slackware
From the hours of 8-5 any downtime would cost over $10k/second
I hacked that computer and installed an application. It's pretty brilliant. What it does is every time there's a bank transaction where interest is computed, you know, thousands a day? The computer ends up with these fractions of a cent, which it usually rounds off? What this does is takes those little remainders and puts them into an account.
-- This sounds familiar.
Yeah, they did it in Superman 3.
-- Right.
Underrated movie, actually.
Software Wars
Why is this a story? I mean seriously. These TCO articles come out all of the time, and they are bullshit all of the time. Don't we already know this? Does anyone with half a brain pay attention to these "studies"? There's nothing we can do to stop them, and we only discredit them here... Where everyone knows they are bullshit. It doesn't even have anything to do with some prejudice against Microsoft. Any company will bs their way to more sales. Welcome to life, people.
I hate grammar Nazi's.
In most corporate environments you would not be allowed to set automatic updates on. The last thing the corporate IT department would want is for an automatically installed patch to break existing systems.
Sure this is an inconvenience, but (still) overrated. It's just not a major issue to reboot a machine. Word. Move on.
What continues to be a major road block to widespread adoption of Linux by the masses is not just patching, but just installing applications at all. It just can not be said with a straight face that installing patches or an application on Linux is as easy as with Windows for average computer users. There are just way too many pitfalls that can trap a user in hours and days of searching for strange dependencies and other things. And a smooth GUI installer....
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
How arrogant!
a) Nothing in the report suggests the users 'have no idea how to really use a computer';
b) Nothing in the report remotely suggests anyone is not willing to learn how to use a computer;
c) Everything suggests that people do think. The thinking might be along the lines of: "My computer is a tool. Do I really need to know how to fiddle endlessly setting up the tool?"
Why is it that there is no questioning buying precooked food, taking appliances and vehicles to repair shops for the simplest of servicing, or the persistent use of a favoured carpentry tool because it's 'done the job fine for x years'. And yet when someone treats a computer simply as the tool it should be, they are branded 'fearful of change' and 'unthinking'?
What would you think if there were hammer geeks who spent endless amounts of time refining, modding, and configuring their hammers? Geeks who felt that only unthinking losers wouldn't change their hammers every six months. Geeks that felt it a pathetic display of ignorance that someone would not take the time to know their hammer intimately. Geeks that could endlessly debate shaft lengths, handle materials, and head geometry. In all likelihood, there would be a very large body of people who would think, 'It's a fscking hammer. I don't want to be a craftsman or hammer designer. If the thing don't hammer simply, it's of no use to me.'
"Consensus" in science is _always_ a political construct.
Can Slashdot concede that Microsoft-funded studies will come out in favor of Windows being better, and that some non-Microsoft-funded studied will come out in favor of Linux, and stop wasting our time with this banter?
________________________________________________
suwain_2
Windows installers are nightmares on the enterprise level. Too many dialogs that feature settings that should have been issued on a command line. Too many dialogs with non-installation information. (Hello?...EULA/README SHOULD BE HANDLED IN THE APPLICATION!!) These two create a situation where if you are going to install a piece of software on more than a handful of machines you really wish they had a silent install. More often than not you are stuck babysitting installs blindly clicking "Yes"s and "Okay"s and "Next"s. Yay for the TCO.
A "sin" Microsoft cultavated along time ago is confusing "installing" and "configuration" together. If you tie both of these process together it makes support murky. Did the installation fail to place files or did it mess up setting some value somewhere? Installers should be concerned with tracking/placing software components. Programs should be concerned with configuration. Because of MS including this level of complexity it also had the side effect of making it hard for a user to inspect packages before installing. There is no way for a desktop user to find out what a MSI package provides, what it requires, etc before installation. Another side effect is that people writting installers are often forced to package all depedancies with their application instead of making seemless stacking installs.
Making a Windows installer actually enforce component dependancies suffers from the same "DLL Hell" type problem that has plagued Windows forever. Most installations are written loosely: you can uninstall CompA which ProgramB depends upon and the system happily complies.
With all of that said, Windows installers are bad. Linux and other Unix-like systems are okay but they are more interested in software integraty than ease of use. You can't beat Mac: Drag a folder into the apps folder and its installed, take it out of the folder to uninstall it. At this point I can't imagine why anyone would any system to be more like Windows.
Your analogy is a bit skewed. A hammer doesn't exactly have the same power in society as a computer. A hammer can't communicate with another hammer. A hammer doesn't hold bank records or social security numbers or credit card accounts. A hammer doesn't spread hammer viruses that allow other hammer users to steal that information. A geek hammer user doesn't use his hammer skills to exploit the weaknesses of your hammer to break into it.
Your car is a decent analogy to a computer, but as you pointed out most people simply dump it into someone else's lap when something "don't work" - that's why so many people drive broken down heaps, or constantly have their vehicles in the shop, or destroy their engines from years of unmaintained use. A person that never bothered to understand that their car needs brake maintenance will only figure it out when their brakes finally go and they careen into another car. But also those who change their own oil, perform tune-ups themselves, and know How Their Car Works tend to drive well-running vehicles that are not road hazards. It's called responsible ownership. Could you argue that awareness of the care and maintenance of a car is an undesirable thing?
You legally are required to have a license to drive a car. If it's simply a tool, why would that be? Why should you have to intimately know the operation of driving a tool? Well, it's a powerful tool. It's also a dangerous tool. You can cause massive amounts of damage with a car because of its power. An idiot driver that doesn't signal before merging on the highway can cause multi-car wrecks. People cause fatalities by running stop lights and stop signs. Similarly, a person with a computer that doesn't care to understand the need for its security quickly becomes a zombie node in massive DoS attacks on other systems. These cost network providers untold sums of money in downtime and customer dissatisfaction. In some cases it allows their personal information to be stolen, just as if they were to keep their bank records in their cars without locking the doors - or their windows were smashed out and the records taken. Do you see the relationship here? The power that computers and global internetworking have given us must be taken with some measure of responsibility for the technology to be safe. Ignorance is not something to take pride or comfort in - there is no reason that computer users should not be more aware of their computers and how to properly maintain them.
Oh, and the hammer geeks that you mentioned are the reason why we have progressed from hand rocks, animal bones, and tree stumps to clawhammers, ball peen hammers, plastic and rubber mallets, and sledgehammers.
perl -e "eval pack(q{H*},join q{},qw{70 72696e74207061636b28717b482a7d2c717b343 637323635363534323533343430617d293b})"
I hate to tell you, but there *ARE* hammer geeks out there... note that said geeks (blacksmiths) are usually building tools to do certain tasks, but they certainly are modding hammers... :-)
And yet when someone treats a computer simply as the tool it should be, they are branded 'fearful of change' and 'unthinking'?
I've been involved in the computer industry in various fields for about 20 years now, and I have seen first hand how people interact with computers. Back when mainframes were still mainstream, their operators knew what they were doing. Nowadays all you need is $400 and a credit card to get a home computer, so naturally the skill level of computer users, on average has dropped considerably. That is natural and happens in many different fields when a "specialty" item is released into the general public. You can't swing a dead cat nowadays without hitting someone with a cell phone, but 10 years ago it was almost unheard of to expect someone to have one.
The point is, you have many many people with little or no computer usage skills using computers. These people are (to use the car analogy) the people who don't get their oil changed, don't have the tires rotated, don't check fluids, accelerate too fast just start starting the engine, etc. These are the people who consider the cars to be 'black boxes'. They don't care how they work, just that they work. When they break, they take them to a "certified technician" to fix them. Even though they are SUPPOSED to do routine maintenance, they don't. Who knows why. Maybe they're ignorant about the requirements. (Has a car salesman ever told you explicitly that you need to change the oil? How many of you read the car manual cover to cover?) Maybe they're lazy. Maybe they forget. Maybe they're too busy. With computers its no different. Even though Mr. Average Windows User might know how to click on "Windows Update" on the start menu, if you changed that to a command-line interface, where they would have to type ANYTHING, I guarantee there would be people who don't do it.
More than half (probably close to 3/4s) of the people I've worked with in the past only have up-to-date systems because their computers were set up to automatically patch at a certain time every day (like lunchtime). A small percentage of people make it a routine (like checking email in the morning) of making sure they are up to date. The rest of them are just out of date, waiting for an attack of some variety.
Note that I didn't say that users have no idea how to use a computer. I said that users have no idea how to REALLY use a computer. Extrapolate from that what you like, but what it means is that the average user doesn't know how to adequately take steps to make sure they are current (OS patches, virus updates, etc)
Long story short (yeah I know, too late) if you make something that people are used to just a bit more complex, you won't change everyone's habits. There are always those people who get left behind for various reasons (usually due to their attitude.) For those people, I would recommend this book. Adapting to change is critical to the survival of many species, and humans are no exception. While using Windows over Linux, or vice-versa isn't a life-threatening choice, its the attitude of people not willing to accept change that will leave them in the dust.
And they said zombies weren't real!
Erm, I think that it is you who might need to check :) Iana isn't down. The IP address of www.iana.org is 192.0.34.162 - I suspect that you have an interface configured with 192.168.0.2 netmask 255.0.0.0 or something like that. Or a dodgy route.
Get your own free personal location tracker