Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Patches Go For Quality Over Quantity?

Posted by Zonk on from the can't-we-have-both dept.

greengrass writes "eWeek.com is running a story about another Microsoft 'study'. This one discusses how good Microsoft is at providing patches for their OS. This is Part 2 of 3 in a series of articles, the first of which compared Linux and Windows on legacy systems." From the article: "Bill Hilf, who is director of Platform Technology Strategy at Microsoft and heads its Linux and open-source lab, told eWEEK in a recent interview that 'the differentiator for customers is not the number comparison, but which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage.'"

30 of 225 comments (clear)

  1. Focus Magazine Interview Haunts Gates by eldavojohn · · Score: 5, Interesting

    I'll be the first to point this out (as I'm sure it's been pointed out many times on slashdot)--Gates has openly stated in an interview with Focus Magazine that users aren't interested in bug fixes.

    I've read other interviews with Gates in which he went further to explain himself by saying that the feedback they received from users was rarely requesting a bug fix. He listed a percentage in the high nineties that was feedback suggesting new features. And so, with each upgrade and patch, the aim wasn't for security or bug fixes but instead for new features which a lot of people asked for. The engineers will blame him for taking that approach but I'm sure the businessmen will laugh and follow Gates all the way to the bank.

    Now, to be fair, it seems he has changed his stance (which--calm down--I believe people are allowed to do). And I applaud them if they really are trying to rectify what they made mistakes on in the past with their new patching strategy. There is (obviously) much debate about if they actually are trying to fix it and if these are actually quality patches. I'm sure the flamewar that ensues on this article will demonstrate that adequately.

    I will make a speculation though. IN MY OPINION, the largest thing Microsoft has to fear is a perfectly secure operation system they have created and distributed throughout the world. This is because they will no longer have "upgrades" or new versions of Windows to offer costumers. Yes, some customers are looking for new features, but oftentimes I find myself on my Windows machine just begging it to behave properly as a cut and dry OS. If the rumors of Vista are true and it is an efficient and secure operating system that can function in plain jane deterministic manners, then I want it dual booting with Linux and nothing more ... ever.

    --
    My work here is dung.
    1. Re:Focus Magazine Interview Haunts Gates by Information+Architec · · Score: 3, Interesting

      then I want it dual booting with Linux and nothing more ... ever.

      IF Linux is as stable as you make out, and you want "nothing more...ever", then why not make it - or Windows for that matter - available as a chipset, like the good ol' BBC Microcompuetr of yesteryear...? Whatever the OS, why should I waste my time waiting for the system to boot up or shut down, when so many other devices have their OS's on EPROM....I just want to switch on and go.

    2. Re:Focus Magazine Interview Haunts Gates by Anonymous Coward · · Score: 4, Informative

      users aren't interested in bug fixes.

      The thing is, he's right, he just didn't know it. Look at all the unpatched windows boxes that were spreading Slammer (or any of the other worms that spread like wildfire while using exploits that had been fixed months before). Users aren't interested in doing bug fixes.

      Automatic Windows Update's gone a long way towards fixing this for them, but they'll need to ditch updates to windows carrying their own EULAs (which breaks automatic update, since it will sit around and backlog all the patches until someone logs into an administrative account (which users aren't supposed to do for everyday use, right?) in order to click the agree button) in order to truly automate everything.

    3. Re:Focus Magazine Interview Haunts Gates by Tony · · Score: 5, Insightful

      If the rumors of Vista are true and it is an efficient and secure operating system that can function in plain jane deterministic manners, then I want it dual booting with Linux and nothing more ... ever.

      Those rumours have preceded every version of MS-Windows since NT 3.51 (the most secure and stable version of MS-Windows to date, in my experience). I've stopped waiting for MS to produce an exceptional operating system. There are much, much better alternatives out there -- OS X, Linux, *BSD, Solaris, etc. What's the point of waiting for MS to play catch-up?

      I'm interested in seeing Vista in action. I'll probably take a look when someone at work here picks it up. I don't hold out a lot of hope that it will beat the stability of Solaris, the ease-of-use and consistency of OS X, or the openness and general all-over chocolatey goodness of Linux and *BSD.

      Let's see if they still group programs by vendor, and not by function.

      --
      Microsoft is to software what Budweiser is to beer.
    4. Re:Focus Magazine Interview Haunts Gates by ReTay · · Score: 2, Insightful

      IF Linux is as stable as you make out, and you want "nothing more...ever", then why not make it - or Windows for that matter - available as a chipset, like the good ol' BBC Microcompuetr of yesteryear...?

      Because like any operating system you will eventually want to add something to the machine like a newer video card.... Or a new codex and then what happens when you turn off the machine? But even three seconds of thought would have told you that.
      Eventually you (gasp) might even want to try a new distro....
      For crying out loud talk about vendor lock...

    5. Re:Focus Magazine Interview Haunts Gates by ZombieRoboNinja · · Score: 4, Insightful

      "IN MY OPINION, the largest thing Microsoft has to fear is a perfectly secure operation system they have created and distributed throughout the world. This is because they will no longer have "upgrades" or new versions of Windows to offer costumers."

      Just to play devil's advocate, Apple's OS is largely bug-free and secure, and yet quite a few people pay cash money for an upgrade every year or so. This is presumably because each new release of OSX has enough cool features to give it some appeal, even without a bunch of critical security updates.

      Would Apple sell enough upgrades to make a profit if they weren't making money from hardware (and iPod) sales? Maybe not, but it's worth asking.

  2. More M$ Hooey by TripMaster+Monkey · · Score: 5, Insightful


    Microsoft Corp. seems to be moving away from focusing on the actual number of security patches and updates that it and its software competitors release.

    But of course they are...since Joe Brockmeier and Joe Barr of NewsForge , as well as Pamela Jones of Groklaw did such a masterful job of debunking the ridiculous annual summary of vulnerabilities by US-CERT (discussed earlier on Slashdot), Microsoft has necessarily had to switch propaganda tactics.

    Instead, it is concentrating on making it easy and efficient for customers to obtain the security fixes and update their systems.

    That's funny...I've never had a problem with my Yast Online Update...

    "...patching, particularly for security, is not a 'Microsoft problem,' but something that affects all operating system and platform vendors," Hilf said.

    Nice straw man, Hilf. No one is claiming that non-Microsoft operating systems don't need to be patched. The issue is whether the patches are issued in a timely manner...or not.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:More M$ Hooey by HardCase · · Score: 2, Interesting

      What about Cox's boasting that Red Hat took the initiative to notify its users about the Flash issue? According to him, Microsoft left its customers in the dark - but the security issue had absolutely nothing to do with either Red Hat or Microsoft. Are we now to depend upon our OS vendor to provide us with security updates for our third party applications? How far does it go?

      The whole Linux versus Microsoft thing is like arguing politics. You've got a few zealots on the fringes and a vast number of people who are perfectly happy with what they've got. The zealots are loud and shrill but, in the the end, they represent a tiny minority.

      Want a bad analogy? It's like Ford saying that you should buy a Mustang because a Camaro sucks (yes, I know that Chevy doesn't make Camaros anymore - work with me here).

      -h-

    2. Re:More M$ Hooey by IAmTheDave · · Score: 5, Interesting
      That's funny...I've never had a problem with my Yast Online Update...

      Nor have I had any issues with Windows Update on XP or Windows 2000/2003 Server or Professional. While patches may be a little lacking in expediency (sp?) it couldn't be easier to do. I love that I can have my office XP computer patch itself while my servers download but do not install patches without my explicit command. I can't imagine Windows Update - and especially automatic Windows Update being easier to use, even for non-power users.

      Right now, I think that OSX and Windows XP/2000/2003 really have the best in patching, with certain Linux distros being up there as well. Easily getting updates to users is no longer an issue, it's the speed/efficiency with which said patches become available that is to be compared.

      --
      Excuse my speling.
      Making The Bar Project
    3. Re:More M$ Hooey by TripMaster+Monkey · · Score: 3, Insightful

      What about Cox's boasting that Red Hat took the initiative to notify its users about the Flash issue?

      This quote sums it up nicely:

      From TFA (emphasis mine):
      In late 2005 when flaws were found in Macromedia's Flash Player, Red Hat took responsibility for providing users with a vulnerable version of the Flash plug-in and made an update available, he [Cox] said.
      How far does it go?

      Basically, if you are the one to provide the software, you are responsible for getting the patches to the users. This is one big reason the *nixes performance in US-CERT's annual summary of vulnerabilities appeared so poor...because the *nixes were also issuing patches for all the software that came bundled with the OS.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    4. Re:More M$ Hooey by m50d · · Score: 4, Insightful

      One difference - you mention office, but I suspect most software on a typical user's machine is not covered by windows update. Wheras as a gentoo user, everything on my machine is updated with one command. MS is doing well looking after their own products, but any application can compromise the system - they should try and get every windows program vendor using windows update.

      --
      I am trolling
  3. It may be good.... by Anonymous Coward · · Score: 5, Insightful

    It may be good to have lots of patches, but once you have a car where the duct tape weighs more than any other parts combined, isn't it time to just get another car?

  4. Efficient? by IceCreamGuy · · Score: 3, Insightful

    I wouldn't normally think of 4 hours and 6 zillion reboots as "efficient" or "easy". -Julius

  5. Uh, no. by Benanov · · Score: 5, Insightful

    How about, which vendor makes the patches unnecessary (i.e., few and far between) because it released a solid, working program?

    I don't want patch quality. I want program quality.

    I work in proprietary software. Most places that do proprietary software are overworked and quality suffers. (EA is an extreme example where workplace quality suffered as well as program quality.)

    In the places I've worked, everyone's too busy doing what they've been assigned and they're overworked because they're understaffed. Hiring more people means less money for the company so that generally doesn't happen.

    With FOSS, anyone can pick up the source if they have some spare time and hack away at it, and even if individual contributions are small, there's always someone with some spare time and a different view about how something should work.

    Once you start doing for money's sake, you spend more time worrying about your bottom line than about quality.

    1. Re:Uh, no. by Hiro+Antagonist · · Score: 2, Insightful

      It's not money that's the problem; it's a devotion to accruing every possible unit of negotiable currency that causes the problem. There are a lot of businesses, most of them privately held, that make 'slightly less' than a ton of money by doing something different, and caring about the customer instead of the bottom line.

      Public companies don't have this luxury; they have to care about 'the bottom line', because they are responsible to their shareholders before they are responsible to their customers. In a private company, the customer comes first and foremost, and the difference in quality is measurable.

      Look at BMW and Mercedes --- BMW is privately owned, and whether or not their styling appeals to you, it would be hard to argue that they aren't top-notch in terms of quality, funtionality, and service. Mercedes, on the other hand, canned the complimentary service option a few years ago[1], and offers far less 'bang-for-the-buck' in the luxury car market.

      [1] It used to be that purchasing a luxury automobile meant that the manufacturer would stand behind your purchase in every conceivable way, and complimentary maintainence was a part of this package. Mercedes used to be very good at this, and had one of the best service packages in the industry. Now, you get to pay for your own service to go along with your top-of-the-market-priced car, and the build quilty has been nickel-and-dimed below that of a Nissan. Sad to see such a nice car company go down the tubes.

      --

      --
      I Hit the Karma Cap, and All I Got Was This Lousy .sig.
  6. anyone else think it's odd by subtropolis · · Score: 4, Interesting

    that the head of their "Linux and open-source lab" is also their "director of Platform Technology Strategy"? Why ever should that be?

    --
    "Our interests are to see if we can't scale it up to something more exciting," he said.
  7. I was looking for... by sam1am · · Score: 2, Insightful
    ..which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage.
    And here I was looking for the vendor that would keep my systems the most secure. Silly me.
  8. slashdot articles by TheDoctorWho · · Score: 2

    just aren't doing it for me anymore.

    here we have some MS guy going on and on about a problem that needs to be addressed before your release software, not after

  9. efficient? by BushCheney08 · · Score: 4, Interesting

    ...but which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage.

    My office recently donated some P3 machines to a homeless shelter. The process of wiping the drive and installing Win 2000(SP4) and updating it to be current took nearly 4 hours for one machine. This was a machine that had just the OS. I had to run Windows Update and reboot at least a dozen times. Each time, I'd select and install all patches available. Due to prerequisite patch dependencies, however, each update/reboot cycle would make another 10-15 patches available. Hardly efficient. You'd think they could roll it all up into one huge patch and make it available. (And yes, I can understand the need for some places to avoid certain patches - make that the option, not the norm!)

    --
    Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
  10. least complex? by ScislaC · · Score: 3, Insightful
    "but which vendor makes the patching and updating experience the least complex"
    I will say that Windows Update was better than anything else I had seen when it was initially introduced (I will admit to not having used Linux then though). However, any modern distros I've used (Ubuntu & Suse most recently) actually have a far LESS complex patch and update mechanism... because they patch all of the software and libraries as well, not just the OS. And they do it the same way as windows with a little notifier in the system tray (yeah, they don't autoinstall as far as I've seen, but, a couple clicks doesn't add to complexity as far as I'm concerned). Just my .02 on that part...
    --
    ART on dA
  11. Re:The patches just rarely add functionality by CheechBG · · Score: 2, Interesting

    Umm, WinXP SP2 (not sure if it's just SP2, but that's all I run before I got my BT dongle) does have support for Bluetooth. Sorry.

    In fact, I believe that MS's drivers, as simplistic as they are, are far and away better than Toshiba's BT stack (Try to set up BT HotSync with a Treo 650 over Toshiba BT drivers). Unfortunately, they don't hold a candle to the WIDCOMM drivers.

    The real travesty in all this is the fact that there are 3 separate comm stacks for the exact same hardware. Even worse is that they are licensed in such a way that I cannot use the WIDCOMM drivers for a BT device that came with Toshiba drivers. However, I can use the MS drivers for anything.

  12. Re:The patches just rarely add functionality by HardCase · · Score: 3, Informative

    XP still doesn't have support for Bluetooth...

    You mean the Bluetooth connection between my notebook and my cellphone that I use to connect to the Internet on the road doesn't really work? Uh oh...

    -h-

  13. Re:The patches just rarely add functionality by Mr.+Underbridge · · Score: 2, Interesting

    Nice troll, but make it less obvious. Win 2K had support for WiFi, for chrissakes. I believe 98 did too, eventually.

  14. Full credit to eWeek... by Chicane-UK · · Score: 3, Insightful

    Reading that article made such a refreshing change compared to the Microsoft 'propaganda' stories we usually get linked to. eWeek gave Linux vendors the chance to answer and explain all of the figures which seemed to side with Microsoft - and invairiably once dissected, the usual Microsoft massaging of figures clearly comes to light.

    One great example was this:


    Interestingly, Microsoft's Hilf has a personal Red Hat workstation in his office that he uses on a daily basis. He selected a random week in October to provide a snapshot of the updates made to his Red Hat Enterprise Linux workstation over that period. He found that, between Oct. 6, 2005, and Oct. 11, 2005, his workstation was updated 66 times.

    "I chose those dates randomly," he said. "I use this system daily, so it was literally a snapshot of a given workweek. All this illustrates is that patching and updating are part of any 'living' software system. It is part of the nature of modern software: Things change, bugs happen, features get added, and software needs to get updated."

    But Red Hat's Cox pointed out that the second update release for RHEL4 was issued Oct. 5, resulting in a very large number of updated packages over the period of a day or two, "which is what Hilf saw. We only issued two Update releases for RHEL4 in 2005, so he was quite unlucky in his choice of a random snapshot," he said, tongue in cheek.



    Unlucky indeed. Nice to see some unbiased reporting and not just verbatim duplication of Microsoft comments and 'press releases' for a change.

    --
    "Hey! Unless this is a nude love-in, get the hell off my property!!"
  15. Advice for Bill (and you can pay me later...) by ArtDent · · Score: 2, Interesting

    I've had the Automatic Updates icons staring at me from my system tray for the last couple of days. The reason I haven't yet installed the latest security update (KB908519) is because I *know* from past experience that it will ask me to reboot afterwards. I use this machine for work, and like just about everyone else in the world, I've got many different tasks on the go, so I've got several programs open, and I don't want to close them, lose all their state, and spend several minutes rebooting. So, I'll say "no", and later forget that I was supposed to reboot.

    I'll promptly install patches when doing so doesn't require unnecessary reboots. If the kernel isn't being patched, don't make me reboot!

  16. Argh, more buzzwords by Alioth · · Score: 2, Insightful

    Why does everything have to be a such-and-such "experience". I don't want a patching experience at all, I want to have it happen in such a way that it's a non experience. They make it sound like it should be a movie or a fun fair by calling everything a such-and-such "experience"!

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  17. Flamebait? by Anti-Trend · · Score: 4, Informative

    ...maybe. Wrong? Not really. The only thing more rediculous than rebooting a workstation several times after a small batch of updates though is doing the same with a server. I'm going to get a tad bit off topic, but in the same thread of throught, so bear with me. Every time someone posts on Slashdot that Unices have better uptimes than Windows boxen, you invariably get a half-dozen disgruntled Windows admins spouting off numbers of how long their servers have been up. What they don't take into account is that if those systems have been up as long as they claim, the necessary updates have not been applied. Most Windows updates still require that a system is rebooted before the patch actually takes effect. Unix-like systems, on the other hand, are routinely patched hot, and typically only require a reboot in the case of a kernel update or invasive hardware maintenance. If Microsoft does finally fix the design flaw that requires one to reboot after nearly every patch, it will not be innovative so much as becoming more Unix-like in design.

    --
    Working in a DevOps shop is like playing in a band made up entirely of keytarists.
    1. Re:Flamebait? by metallic · · Score: 2, Informative

      Often when Windows Update says you need to reboot, you really don't need to. We've kept one of our production Exchange servers up for a month with a "You need to restart your system" notices in the taskbar. It's still suboptimal and nowhere near approaching anything as elegant as Unix but I've always believed that if you are to criticize something then you should at least be fair about it.

      --
      Karma: Positive. Mostly effected by cowbell.
  18. yes, let us believe the head of the MS Anti-Linux by Locutus · · Score: 2, Insightful

    My gawd Jim, this is a marketing company for heavens sake! ( not sure why Dr McCoy came to mind...)

    Why would anybody think there is any truth to what the head of Microsofts anti-Linux group says?
    Do you think he might have a little motivation to make sure people THINK their OS smells like roses?
    I do.
    IMO

    But thankyou Mr Hilfe for making sure CIO's, CTO, etc know that Linux is on Microsofts mind. THAT,
    combined with what their employees are experiencing is great for your competition. :-)

    LoB

    --
    "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
  19. Microsoft propaganda machine in attack mode? by penguin-collective · · Score: 2, Insightful

    There is just one story after another about Microsoft "going for quality" and "Microsoft running on machines just as small as those Linux runs on", "Microsoft having fewer vulnerabilities according to some web site", and "Microsoft this" and "Microsoft that". If you read carefully, most of those stories were actually initiated by Microsoft.

    So, that makes me wonder: is this just the season for the Microsoft propaganda machine to become active? Or is Linux striking more fear than usual into their hearts?