D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Extract historical time to apply security updates

 

On 08/03/14 23:43, Simon Waters wrote:
> Curious question, but has anyone attempted to extract time to patch from
> logs and packages (or other data).
> 
> Specifically interested in how long the security updates took to be
> installed from there release by vendor. Although how vendors compare
> would be interesting I know the Linux distros we use are at least
> comparable (since I get the mailing list security advisories within days
> of each other typically).
> 
> I can imagine in Debian stable this is relatively easy, because all
> non-release upgrades are security upgrades. But other distros muddy the
> water here, although most flag security updates.
> 
> I've separately being running a whole set of less critical server boxes
> on automatic daily update, with no issues of note in 6 months. I know
> Bad Apple is in the nothing changes without my permission school of
> system admin, but for these boxes it seems a good balance of risk v
> effort v timeliness.
> 


Several of my smaller clients have had Apple, Windows and even some
Linux machines set to auto-update for years now and it's very rare to
see a non-trivial problem actually. For many of these guys having any
barrier between automatic security updates and their machine would be
disaster waiting to happen, and they're way too small to warrant WSUS or
MacServer deployments.

I think the worst issue I've ever seen was the very recent auto-update
bug in XP/2003 that Microsoft have only just fixed: that was pretty
nasty as it would lock up machines at 100% for hours in some cases every
time it ran the auto-updater.

As for your question, I'm not quite sure what you mean - are you just
wondering if anyone has done any in-house analysis of how long passes
between the vendor fix being released and it actually being installed on
the machines? If that is what you mean then I'm afraid I haven't done
anything rigorous although I have been frequently surprised when
patching client boxes up and find myself digging through HP's awful site
for a firmware flash or system update that was released *10 years*
ago... I've updated the firmware on a fair few Adaptec HBAs that must
have been at least 10 years old before as well.

Regards

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq