Roger 'Rocky' Vetterberg
listsub at 401.cx
Wed Dec 3 05:48:16 PST 2003
Paul Robinson wrote:
> Dirk Meyer wrote:
>>Local system status:
>> 1:59AM up 1212 days, 17:50, 0 users, load averages: 0.00, 0.00, 0.00
> Now, please don't take this the wrong way Dirk, but I need to use you to
> make a point here.
> 1. Uptimes of 1,200 days says wonderful things about FreeBSD.
> 2. Uptimes of 1,200 days says terrible things about the administrators
> of those boxes.
> You were attempting to make point 1, and yes, FreeBSD is very stable and
> that's all very impressive. However, point 2 needs some consideration.
> There are good reasons to be keeping track of -STABLE and even more
> reasons to be keeping track of -RELEASE. You can't have been doing
> either of those for the last 4 years. That, in my opinion, leaves you
> vulnerable in a few ways.
> Of course, the real answer here is to work on a way of allowing for an
> "upgrade" to happen without re-booting the machine, thereby getting
> kerenel patching without losing service or uptime. However, until we get
> to that point, consider patching at least once a quarter to a recent
> -RELEASE or even better, -STABLE cvsup, and go from there.
I have to jump in and defend Dirk here, since I frequently get the
exact same kind of comments when I tell people about the 900 days
uptime on some openbsd boxes I admin.
These boxes are pure bridges, sitting in front of other boxes and
doing simple bridging with some filtering. They have no IP addresses
on any of the interfaces and they have no services running, not even
sshd. The only way to access them is via local console, or in some
cases via serial console.
I have checked the archives, and I cant find a single patch or
exploit the last 4 years that would help the functionality or
security of these boxes. Now, does my 900 days uptime still say
terrible things about me as an administrator?
I do take for granted that the machine Dirk mentioned in the
original post is unreachable or in some other way impossible to
penetrate similar to my bridges. If it is not, and is indeed
reachable from the internet, then I fully agree with Paul and must
question Dirk's administrator skills. Todays internet is to hostile
for systems that isnt frequently and regularly patched and maintained.
More information about the freebsd-advocacy