Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Microsoft Security

MS Patches Go For Quality Over Quantity? 225

Posted by Zonk from the can't-we-have-both dept.
greengrass writes "eWeek.com is running a story about another Microsoft 'study'. This one discusses how good Microsoft is at providing patches for their OS. This is Part 2 of 3 in a series of articles, the first of which compared Linux and Windows on legacy systems." From the article: "Bill Hilf, who is director of Platform Technology Strategy at Microsoft and heads its Linux and open-source lab, told eWEEK in a recent interview that 'the differentiator for customers is not the number comparison, but which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage.'"
This discussion has been archived. No new comments can be posted.

MS Patches Go For Quality Over Quantity? More

MS Patches Go For Quality Over Quantity?

Comments Filter:

  • Focus Magazine Interview Haunts Gates (Score:5, Interesting)

    by eldavojohn ( 898314 ) * <eldavojohn@noSpAM.gmail.com> on Friday January 13, 2006 @11:34AM (#14463639) Journal
    I'll be the first to point this out (as I'm sure it's been pointed out many times on slashdot)--Gates has openly stated in an interview with Focus Magazine [cantrip.org] that users aren't interested in bug fixes.

    I've read other interviews with Gates in which he went further to explain himself by saying that the feedback they received from users was rarely requesting a bug fix. He listed a percentage in the high nineties that was feedback suggesting new features. And so, with each upgrade and patch, the aim wasn't for security or bug fixes but instead for new features which a lot of people asked for. The engineers will blame him for taking that approach but I'm sure the businessmen will laugh and follow Gates all the way to the bank.

    Now, to be fair, it seems he has changed his stance [go.com] (which--calm down--I believe people are allowed to do). And I applaud them if they really are trying to rectify what they made mistakes on in the past with their new patching strategy. There is (obviously) much debate about if they actually are trying to fix it and if these are actually quality patches. I'm sure the flamewar that ensues on this article will demonstrate that adequately.

    I will make a speculation though. IN MY OPINION, the largest thing Microsoft has to fear is a perfectly secure operation system they have created and distributed throughout the world. This is because they will no longer have "upgrades" or new versions of Windows to offer costumers. Yes, some customers are looking for new features, but oftentimes I find myself on my Windows machine just begging it to behave properly as a cut and dry OS. If the rumors of Vista are true and it is an efficient and secure operating system that can function in plain jane deterministic manners, then I want it dual booting with Linux and nothing more ... ever.
    • then I want it dual booting with Linux and nothing more ... ever.

      IF Linux is as stable as you make out, and you want "nothing more...ever", then why not make it - or Windows for that matter - available as a chipset, like the good ol' BBC Microcompuetr of yesteryear...? Whatever the OS, why should I waste my time waiting for the system to boot up or shut down, when so many other devices have their OS's on EPROM....I just want to switch on and go.
      • IF Linux is as stable as you make out, and you want "nothing more...ever", then why not make it - or Windows for that matter - available as a chipset, like the good ol' BBC Microcompuetr of yesteryear...?

        Because like any operating system you will eventually want to add something to the machine like a newer video card.... Or a new codex and then what happens when you turn off the machine? But even three seconds of thought would have told you that.
        Eventually you (gasp) might even want to try a new distro...
      • You could get the benefit of this with the flexibility to rewritability via a USB drive. Plug in a new drive, and voila! You boot into a new OS.

    • Re:Focus Magazine Interview Haunts Gates (Score:4, Informative)

      by Anonymous Coward on Friday January 13, 2006 @11:43AM (#14463735)
      users aren't interested in bug fixes.

      The thing is, he's right, he just didn't know it. Look at all the unpatched windows boxes that were spreading Slammer (or any of the other worms that spread like wildfire while using exploits that had been fixed months before). Users aren't interested in doing bug fixes.

      Automatic Windows Update's gone a long way towards fixing this for them, but they'll need to ditch updates to windows carrying their own EULAs (which breaks automatic update, since it will sit around and backlog all the patches until someone logs into an administrative account (which users aren't supposed to do for everyday use, right?) in order to click the agree button) in order to truly automate everything.

    • Re:Focus Magazine Interview Haunts Gates (Score:5, Insightful)

      by Tony ( 765 ) on Friday January 13, 2006 @11:47AM (#14463781) Journal
      If the rumors of Vista are true and it is an efficient and secure operating system that can function in plain jane deterministic manners, then I want it dual booting with Linux and nothing more ... ever.

      Those rumours have preceded every version of MS-Windows since NT 3.51 (the most secure and stable version of MS-Windows to date, in my experience). I've stopped waiting for MS to produce an exceptional operating system. There are much, much better alternatives out there -- OS X, Linux, *BSD, Solaris, etc. What's the point of waiting for MS to play catch-up?

      I'm interested in seeing Vista in action. I'll probably take a look when someone at work here picks it up. I don't hold out a lot of hope that it will beat the stability of Solaris, the ease-of-use and consistency of OS X, or the openness and general all-over chocolatey goodness of Linux and *BSD.

      Let's see if they still group programs by vendor, and not by function.
      • I remember running 3.51 on my 486/66; it was slick. It had the win3.x gui, "program manager", rather than the win95 one, but it just kept going.

        One reason for it potentially being so good is it was the closest NT ever was to a microkernel; the gui really was user mode code running in the win32 subsystem. A duff display or print driver could never bluescreen the system, just the win32 subsys. Which was bad enough, but t least you could normally shut it down.

        Nt4 pulled drawing kernel side, so any print/displa
      • If the rumors of Vista are true and it is an efficient and secure operating system that can function in plain jane deterministic manners, then I want it dual booting with Linux and nothing more ... ever.
        The MO for M$ is to release an OS and deprecate in favor of WIN.X when TCO becomes unacceptably low. AFAIK, you're SOL.

        TTYL, :-).

    • Re:Focus Magazine Interview Haunts Gates (Score:4, Insightful)

      by ZombieRoboNinja ( 905329 ) on Friday January 13, 2006 @12:10PM (#14464007)
      "IN MY OPINION, the largest thing Microsoft has to fear is a perfectly secure operation system they have created and distributed throughout the world. This is because they will no longer have "upgrades" or new versions of Windows to offer costumers."

      Just to play devil's advocate, Apple's OS is largely bug-free and secure, and yet quite a few people pay cash money for an upgrade every year or so. This is presumably because each new release of OSX has enough cool features to give it some appeal, even without a bunch of critical security updates.

      Would Apple sell enough upgrades to make a profit if they weren't making money from hardware (and iPod) sales? Maybe not, but it's worth asking.
      • Excellent point -- if you can't make enough money to stay afloat from doing one thing, you need to stop doing that thing or do something else to supplement it. Apple makes software AND hardware that work well together. Dell sells a range of products, some of which almost certainly have to have profit margins to slim to support the company.

        The standard response to a failing business model these days seems to be to play nasty tricks -- buying laws, forcing obsolescence. RIAA anyone?

  • More M$ Hooey (Score:5, Insightful)

    by TripMaster Monkey ( 862126 ) * on Friday January 13, 2006 @11:36AM (#14463667)

    Microsoft Corp. seems to be moving away from focusing on the actual number of security patches and updates that it and its software competitors release.

    But of course they are...since Joe Brockmeier and Joe Barr of NewsForge [newsforge.com], as well as Pamela Jones of Groklaw [groklaw.net] did such a masterful job of debunking the ridiculous annual summary of vulnerabilities by US-CERT [us-cert.gov] (discussed earlier on Slashdot [slashdot.org]), Microsoft has necessarily had to switch propaganda tactics.

    Instead, it is concentrating on making it easy and efficient for customers to obtain the security fixes and update their systems.

    That's funny...I've never had a problem with my Yast Online Update...

    "...patching, particularly for security, is not a 'Microsoft problem,' but something that affects all operating system and platform vendors," Hilf said.

    Nice straw man, Hilf. No one is claiming that non-Microsoft operating systems don't need to be patched. The issue is whether the patches are issued in a timely manner...or not [microsoft.com].

    • Re:More M$ Hooey (Score:3, Interesting)

      by HardCase ( 14757 )
      What about Cox's boasting that Red Hat took the initiative to notify its users about the Flash issue? According to him, Microsoft left its customers in the dark - but the security issue had absolutely nothing to do with either Red Hat or Microsoft. Are we now to depend upon our OS vendor to provide us with security updates for our third party applications? How far does it go?

      The whole Linux versus Microsoft thing is like arguing politics. You've got a few zealots on the fringes and a vast number of peop

      • Re:More M$ Hooey (Score:4, Insightful)

        by TripMaster Monkey ( 862126 ) * on Friday January 13, 2006 @11:56AM (#14463881)

        What about Cox's boasting that Red Hat took the initiative to notify its users about the Flash issue?

        This quote sums it up nicely:

        From TFA (emphasis mine):
        In late 2005 when flaws were found in Macromedia's Flash Player, Red Hat took responsibility for providing users with a vulnerable version of the Flash plug-in and made an update available, he [Cox] said.
        How far does it go?

        Basically, if you are the one to provide the software, you are responsible for getting the patches to the users. This is one big reason the *nixes performance in US-CERT's annual summary of vulnerabilities appeared so poor...because the *nixes were also issuing patches for all the software that came bundled with the OS.

        • I understand that and I don't have any problem with it - RH took a responsible position, given that they provided the affected program. But you left out the rest of Cox's quote:

          "Microsoft customers were left on their own," Cox said. "For several days the only way customers could find out about this issue was from the Microsoft security team Weblog or if they read something in the press about Flash vulnerabilities and realized they had it installed. Later, Microsoft issued an advisory telling customers to v
          • I may have gotten the following wrong, please correct me if I did.

            See that is the difference between MS and linux vendors. Red Hat provides the user with a lot of software, it's on the cd and as such it is the direct provider of the software. MS doesn't, the windows cd includes windows and some other MS software but nothing like what you would find on the Red Hat cds/dvds.

            In this case, MS didn't provide users with the broken flash plugin, they downlaoded it themselves from Macromedia. Red Hat hwever did pro

    • Re:More M$ Hooey (Score:5, Interesting)

      by IAmTheDave ( 746256 ) <basenamedave-sd@yaho[ ]om ['o.c' in gap]> on Friday January 13, 2006 @11:52AM (#14463847) Homepage Journal
      That's funny...I've never had a problem with my Yast Online Update...

      Nor have I had any issues with Windows Update on XP or Windows 2000/2003 Server or Professional. While patches may be a little lacking in expediency (sp?) it couldn't be easier to do. I love that I can have my office XP computer patch itself while my servers download but do not install patches without my explicit command. I can't imagine Windows Update - and especially automatic Windows Update being easier to use, even for non-power users.

      Right now, I think that OSX and Windows XP/2000/2003 really have the best in patching, with certain Linux distros being up there as well. Easily getting updates to users is no longer an issue, it's the speed/efficiency with which said patches become available that is to be compared.

      • Re:More M$ Hooey (Score:5, Insightful)

        by m50d ( 797211 ) on Friday January 13, 2006 @12:02PM (#14463930) Homepage Journal
        One difference - you mention office, but I suspect most software on a typical user's machine is not covered by windows update. Wheras as a gentoo user, everything on my machine is updated with one command. MS is doing well looking after their own products, but any application can compromise the system - they should try and get every windows program vendor using windows update.
        • Still correct in a most ways but it is getting better. Microsoft Update [microsoft.com], the latest incarnation of Windows Update, update's my Win XP, Office, Visual Studio, Exchange Server Manager and SQL Server 2005 Express.

          Note that these are all M$ products but it's a little better then it used to be.

          They have a long way to go to come close to the ease of apt, yast, etc.(not to mention the horribly annoying dependency on IE when you want to manually check the status of updates) but I'm an optimist so I at least like to
        • Wait.. gentoo even updates programs that you had to get the latest version of in a tarball from the developer's website? 'cause I hate how in the Ubuntu repositories, LyX seems to be perpetually a year or more old.
          • Wait.. gentoo even updates programs that you had to get the latest version of in a tarball from the developer's website? 'cause I hate how in the Ubuntu repositories, LyX seems to be perpetually a year or more old.

            Basically, Gentoo is largely a set of scripts to take the developer-issued source tarballs and build and install the software from them. Usually, new versions are available pretty quickly*, but (except for security updates - and even Gentoo backports them sometimes) the latest version isn't in
          • Yep - gentoo installs the program from the tarball, but does it in such a way that it can resolve dependencies, uninstall if necessary, etc. Lyx is at 1.3.6 in gentoo at the moment.
        • Hmm.... I didn't realize that Gentoo can automatically update Oracle, vmware, and all the software out there in the universe that runs on gentoo???

          The same thing you are complaining about applies to what you are praising. Every distro then should be trying to get every application into all the different installation methods. Yast, rpm, emerge, etc all have the same deficiencies
          • Gentoo has VMware Workstation, and the instantclients for Oracle in portage. There are loads of closed source apps in portage (though several with fetch restrictions turned on, like Cedega).

            Gentoo is probably one of the best distros in managing packages (since they have the advantage of not having to provide binaries for everything). Portage is an incredibly powerful tool.
          • Hmm.... I didn't realize that Gentoo can automatically update Oracle, vmware, and all the software out there in the universe that runs on gentoo???

            One of the great things about gentoo is that it's really easy to write an ebuild - for a program that uses the standard ./configure, make and make install it's just a few lines listing name, homepage and dependencies. There isn't one for every program, but there are for an awful lot - since the ebuild doesn't include the actual program, they can easily have them

            • Yes, but they're much further along than MS. I meant it when I said every program on my system is covered by emerge - I haven't had to look outside the system once.

              True. With every other distro I had to track down obscure programs like most. Gentoo has pretty much everything - the Qt rendering engine for GTK, most, the Sun Java JDK, the accelerated NVidia driver... Portage can get everything except for a few proprietary packages - and when it can't fetch a file itself it gives you detailed information as
        • Except that the etc-update problem isn't solved yet. You do NOT want a casual user to get stuck with etc-update.
        • ... except any proprietary software you have won't, because the entire concept of "software repositories" is designed to discourage proprietary software from running on Linux. (Like so many other things on Linux...) So if you've installed a proprietary program (say, Oracle as in another poster's example), can you still update it with one command? Nope, you've lost that ability. Only vendor-supplied software is updated, on OS X, Windows *and* Linux.
      • While patches may be a little lacking in expediency (sp?) it couldn't be easier to do

        That's because with your enterprise licence, you did not have to validate your version of Windows XP.
      • I don't know... last time I helped someone install their XP system from scratch Windows Update was ANYTHING but easy to use. Here's how it goes: install Windows. Reboot. Reboot again. Windows Update kicks in. All right, let's get those patches on before this thing goes down in flames! Yeah, yeah, install all updates. Wow, there sure are a lot! Wait. Reboot, okay. What?! More updates? Okay, install. Reboot. MORE?!? Install, reboot....

        It literally took all day! He got so fed up he paid me $100
      • Nor have I had any issues with Windows Update on XP or Windows 2000/2003 Server or Professional. While patches may be a little lacking in expediency (sp?) it couldn't be easier to do. I love that I can have my office XP computer patch itself while my servers download but do not install patches without my explicit command. I can't imagine Windows Update - and especially automatic Windows Update being easier to use, even for non-power users.

        I would argue that Windows Update is too easy to use. I have fix
    • Not only that, but the number of flaws and their severity is so much more important than how nice your patch system is that they shouldn't even be compared.

      Remember the old "if Windows were a car" joke?

      I'd rather have a car that just keeps running than one that I need to get fixed all the time, even if the dealer makes it really easy. I'd rather have a car that doesn't get taken over by organized crime if I don't buy the optional armor plating. I'd rather have a car I can let the kids drive without having
    • "Microsoft Corp. seems to be moving away from focusing on the actual number of security patches and updates ...
      But of course they are"

      It is also interesting to read between the lines and see what appears to be an admission:

      Microsoft is more concerned about how secure their products APPEAR to be thus it is more important to release patches and updates in a way that makes it appear that they have fewer exploitable holes in their code. Its funny how they are still not focused on the issue which is the exploita
    • You cannot rely upon patching. Therefore, the OS must be designed with the smallest attackable surface. Ubuntu rocks in this regard. A default desktop installation has NO open ports. That makes it 100% worm proof.

      So I've made a hierarchy of vulnerabilities to help me determine the actual seriousness of the "threat". Note: these are only applicable to a default installation.

      1. Remote--root access that does NOT require human intervention or other app running.

      2. Remote non-root access that does NOT require hum

  • It may be good.... (Score:5, Insightful)

    by Anonymous Coward on Friday January 13, 2006 @11:37AM (#14463677)
    It may be good to have lots of patches, but once you have a car where the duct tape weighs more than any other parts combined, isn't it time to just get another car?
    • It may be good to have lots of patches, but once you have a car where the duct tape weighs more than any other parts combined, isn't it time to just get another car?

      That and isn't the quantity == to the quality? I mean shouldn't sufficient quality mean that all known security issues are fixed?

    • No, becuase with that much duct tape holding it together, the car would be virtually indestructible!
    • That's only if you assume that the majority of patches (for any piece of software, not necessarily just Microsoft's) are duct tape, rather than actual auto-body work. Following your analogy, the "new" car you bought was actually all dinged-up, scratched paint, busted taillight, etc. but you didn't really notice right away. These patches fill in the dings, replace the taillights, give you a new paint job, and generally "pimp your ride". You're left with a better ride than you had before, and maybe something

  • Efficient? (Score:3, Insightful)

    by IceCreamGuy ( 904648 ) on Friday January 13, 2006 @11:38AM (#14463691) Homepage
    I wouldn't normally think of 4 hours and 6 zillion reboots as "efficient" or "easy". -Julius

    • Flamebait? (Score:5, Informative)

      by Anti-Trend ( 857000 ) on Friday January 13, 2006 @12:06PM (#14463966) Homepage Journal
      ...maybe. Wrong? Not really. The only thing more rediculous than rebooting a workstation several times after a small batch of updates though is doing the same with a server. I'm going to get a tad bit off topic, but in the same thread of throught, so bear with me. Every time someone posts on Slashdot that Unices have better uptimes than Windows boxen, you invariably get a half-dozen disgruntled Windows admins spouting off numbers of how long their servers have been up. What they don't take into account is that if those systems have been up as long as they claim, the necessary updates have not been applied. Most Windows updates still require that a system is rebooted before the patch actually takes effect. Unix-like systems, on the other hand, are routinely patched hot, and typically only require a reboot in the case of a kernel update or invasive hardware maintenance. If Microsoft does finally fix the design flaw that requires one to reboot after nearly every patch, it will not be innovative so much as becoming more Unix-like in design.

  • Uh, no. (Score:5, Insightful)

    by Benanov ( 583592 ) <brian...kemp@@@member...fsf...org> on Friday January 13, 2006 @11:40AM (#14463715) Journal

    How about, which vendor makes the patches unnecessary (i.e., few and far between) because it released a solid, working program?

    I don't want patch quality. I want program quality.

    I work in proprietary software. Most places that do proprietary software are overworked and quality suffers. (EA is an extreme example where workplace quality suffered as well as program quality.)

    In the places I've worked, everyone's too busy doing what they've been assigned and they're overworked because they're understaffed. Hiring more people means less money for the company so that generally doesn't happen.

    With FOSS, anyone can pick up the source if they have some spare time and hack away at it, and even if individual contributions are small, there's always someone with some spare time and a different view about how something should work.

    Once you start doing for money's sake, you spend more time worrying about your bottom line than about quality.

    • Re:Uh, no. (Score:3, Insightful)

      by Hiro Antagonist ( 310179 )
      It's not money that's the problem; it's a devotion to accruing every possible unit of negotiable currency that causes the problem. There are a lot of businesses, most of them privately held, that make 'slightly less' than a ton of money by doing something different, and caring about the customer instead of the bottom line.

      Public companies don't have this luxury; they have to care about 'the bottom line', because they are responsible to their shareholders before they are responsible to their customers. In

  • anyone else think it's odd (Score:5, Interesting)

    by subtropolis ( 748348 ) on Friday January 13, 2006 @11:43AM (#14463737)
    that the head of their "Linux and open-source lab" is also their "director of Platform Technology Strategy"? Why ever should that be?

  • I was looking for... (Score:3, Insightful)

    by sam1am ( 753369 ) on Friday January 13, 2006 @11:43AM (#14463738)
    ..which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage.
    And here I was looking for the vendor that would keep my systems the most secure. Silly me.
    • In big companies upper and usually middle management care more about ease of distribution than security. They only care that their short term costs are low when it comes to patching. Other than that they rely completely on the vendor to be rigorous in testing and patching. Big financial firms, for example (and from my own experience), do not test Microsoft application and OS security much. They assume MS will simply take care of it. When patches come out they simply make sure their custom software isn'
      • You kind of proved the point:

        [Companies] do not test Microsoft application and OS security much. They assume MS will simply take care of it.

        To me, that sounds like companies want Microsoft to worry about the security, and they'll worry about the difficulty involved in regression testing and patch installation.
  • just aren't doing it for me anymore.

    here we have some MS guy going on and on about a problem that needs to be addressed before your release software, not after

  • efficient? (Score:5, Interesting)

    by BushCheney08 ( 917605 ) on Friday January 13, 2006 @11:44AM (#14463753)
    ...but which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage.

    My office recently donated some P3 machines to a homeless shelter. The process of wiping the drive and installing Win 2000(SP4) and updating it to be current took nearly 4 hours for one machine. This was a machine that had just the OS. I had to run Windows Update and reboot at least a dozen times. Each time, I'd select and install all patches available. Due to prerequisite patch dependencies, however, each update/reboot cycle would make another 10-15 patches available. Hardly efficient. You'd think they could roll it all up into one huge patch and make it available. (And yes, I can understand the need for some places to avoid certain patches - make that the option, not the norm!)
    • You also forgot having to upgrade the Windows Update Setup Tool so that it could run the "Genuine Advantage" tool.

      But lets compare this to any SuSE Linux release in the last few years. It has an option for downloading updates from inside the installer, which can take between 30-60 minutes to download and apply, and then requires no reboot, although certain updates (such as the kernel) won't become active until a reboot is done. Then SuSE Watcher will download and apply any future kernel updates.

      So, fewer

  • least complex? (Score:3, Insightful)

    by ScislaC ( 827506 ) on Friday January 13, 2006 @11:47AM (#14463785)
    "but which vendor makes the patching and updating experience the least complex"
    I will say that Windows Update was better than anything else I had seen when it was initially introduced (I will admit to not having used Linux then though). However, any modern distros I've used (Ubuntu & Suse most recently) actually have a far LESS complex patch and update mechanism... because they patch all of the software and libraries as well, not just the OS. And they do it the same way as windows with a little notifier in the system tray (yeah, they don't autoinstall as far as I've seen, but, a couple clicks doesn't add to complexity as far as I'm concerned). Just my .02 on that part...
    • Not only will Yast Online Update allow for fully automated patching, but you can also point it to a patch repository of your own choosing, so that you can download and test patches first, then put them in the repository when you want all of your machines to apply them.
  • Tests at Microsoft's Linux lab show that counting the raw number of security updates required by the various operating system flavors is not as meaningful as examining the efficiency of the update process.
    Microsoft Corp. seems to be moving away from focusing on the actual number of security patches and updates that it and its software competitors release. Instead, it is concentrating on making it easy and efficient for customers to obtain the security fixes and update their systems."


    I have an idea
  • If I have to deal with bugs and patches, I'd rather have Gates & Co. take the time to do the patch correctly. Having a fast, bad patch hose my system would upset me more than a slow, good patch that MIGHT leave me vulnerable for an exploit that MIGHT get through my firewall, router, and AV and MIGHT hose my system.

    (Please, bring forth all the comments about how I don't have to deal with bugs and patches if I switch to _______ now.)
  • 'the differentiator for customers is not the number comparison, but which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage.'

    apt-get update
    apt-get upgrade

    Done!

    It doesn't get much simpler for the user does it?

  • Full credit to eWeek... (Score:4, Insightful)

    by Chicane-UK ( 455253 ) <chicane-ukNO@SPAMntlworld.com> on Friday January 13, 2006 @11:54AM (#14463858) Homepage
    Reading that article made such a refreshing change compared to the Microsoft 'propaganda' stories we usually get linked to. eWeek gave Linux vendors the chance to answer and explain all of the figures which seemed to side with Microsoft - and invairiably once dissected, the usual Microsoft massaging of figures clearly comes to light.

    One great example was this:


    Interestingly, Microsoft's Hilf has a personal Red Hat workstation in his office that he uses on a daily basis. He selected a random week in October to provide a snapshot of the updates made to his Red Hat Enterprise Linux workstation over that period. He found that, between Oct. 6, 2005, and Oct. 11, 2005, his workstation was updated 66 times.

    "I chose those dates randomly," he said. "I use this system daily, so it was literally a snapshot of a given workweek. All this illustrates is that patching and updating are part of any 'living' software system. It is part of the nature of modern software: Things change, bugs happen, features get added, and software needs to get updated."

    But Red Hat's Cox pointed out that the second update release for RHEL4 was issued Oct. 5, resulting in a very large number of updated packages over the period of a day or two, "which is what Hilf saw. We only issued two Update releases for RHEL4 in 2005, so he was quite unlucky in his choice of a random snapshot," he said, tongue in cheek.



    Unlucky indeed. Nice to see some unbiased reporting and not just verbatim duplication of Microsoft comments and 'press releases' for a change.

  • Advice for Bill (and you can pay me later...) (Score:3, Interesting)

    by ArtDent ( 83554 ) on Friday January 13, 2006 @11:57AM (#14463890)
    I've had the Automatic Updates icons staring at me from my system tray for the last couple of days. The reason I haven't yet installed the latest security update (KB908519) is because I *know* from past experience that it will ask me to reboot afterwards. I use this machine for work, and like just about everyone else in the world, I've got many different tasks on the go, so I've got several programs open, and I don't want to close them, lose all their state, and spend several minutes rebooting. So, I'll say "no", and later forget that I was supposed to reboot.

    I'll promptly install patches when doing so doesn't require unnecessary reboots. If the kernel isn't being patched, don't make me reboot!
  • ...spend a little more money patching and improving their software and a little less of it trying to convince us all that they're paragons of programming virtue, since we don't believe it anyway.

  • Argh, more buzzwords (Score:3, Insightful)

    by Alioth ( 221270 ) <no@spam> on Friday January 13, 2006 @12:02PM (#14463927) Journal
    Why does everything have to be a such-and-such "experience". I don't want a patching experience at all, I want to have it happen in such a way that it's a non experience. They make it sound like it should be a movie or a fun fair by calling everything a such-and-such "experience"!
  • yum update -Y

    go back to working
  • 'the differentiator for customers is not the number comparison, but which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage.'

    Speaking as a customer who manages a few servers and workstations at a company that has hundreds of the former and tens of thousands of the latter, I disagree. The differentiator for me is made up of two factors; window of vulnerability and severity. Spending two extra hours preparing to apply a patch that arrives one day sooner
  • If you want to know the key to evaluating the weaknesses of a Microsoft product simply look for any studies relating to the product. If there's a study saying a certain aspect of the product is well done then you can be sure that part sucks. When your a large company like Microsoft and you have a good product, it speaks for itself in terms of word of mouth. Regular advertising is all you need. When you've got a weakness then you need a "study" because the word of mouth isn't so hot.
  • I didn't RTFA. I don't think I need. All I needed to see is "Linux", "Microsoft", "patches", "legacy systems". With emphasis on the last one.
    Take my three legacy systems: Mom's Pentium MMX 166 webbrowsing machine, my 486 firewall and my work machine, P2 300, 256M RAM. Or something around these lines, somewhere up to 64MB RAM... WHAT systems run on these machines?
    Mom's computer runs Win98. Dumbed down interface plus low system requirements. (Sorry: Easy, Lightweight, Stable, pick any two.) My job machine run
  • "the differentiator for customers is not the number comparison, but which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage."

    Honestly, Windows update is downright clunky and annoying. I don't know what's worse, having to jump to the web browser, the limited availability of combined patches, having to restart / install / repeat if you're behind in updates, needed to download separate patches for popular MS apps that are not included within Windows Updat
  • I refuse to update anything on my gaming (win) machine unless something I want to do absolutely requires it. Often the patches (SP2 ??) do more damage. On top of that you often end up in a time consuming wasteland of endless updates of other files that fix that what damage that patch has done.

    Of course I can only do this because I refuse to use email or IE on this machine.

  • Like most M$ crap (their studies are as buggy as their software), this is nonsense. The number of bugs absolutely matters. Even if you patch quickly and easily, a large number of bugs does not inspire consumer confidence. I bought a Honda recently, not because of concerns about repair cost or time, but because I simply felt more secure with the production values and history of the company. (Right or wrong, that is why I made a $20K choice and I am not the only one that did over quality concerns.) I was

  • yes, let us believe the head of the MS Anti-Linux (Score:3, Insightful)

    by Locutus ( 9039 ) on Friday January 13, 2006 @12:28PM (#14464202)
    My gawd Jim, this is a marketing company for heavens sake! ( not sure why Dr McCoy came to mind...)

    Why would anybody think there is any truth to what the head of Microsofts anti-Linux group says?
    Do you think he might have a little motivation to make sure people THINK their OS smells like roses?
    I do.
    IMO

    But thankyou Mr Hilfe for making sure CIO's, CTO, etc know that Linux is on Microsofts mind. THAT,
    combined with what their employees are experiencing is great for your competition. :-)

    LoB

  • Microsoft propaganda machine in attack mode? (Score:3, Insightful)

    by penguin-collective ( 932038 ) on Friday January 13, 2006 @12:30PM (#14464217)
    There is just one story after another about Microsoft "going for quality" and "Microsoft running on machines just as small as those Linux runs on", "Microsoft having fewer vulnerabilities according to some web site", and "Microsoft this" and "Microsoft that". If you read carefully, most of those stories were actually initiated by Microsoft.

    So, that makes me wonder: is this just the season for the Microsoft propaganda machine to become active? Or is Linux striking more fear than usual into their hearts?
  • PR skills must be listed as part of this guy's job description.

    He's using an old PR trick: If the message you were "staying on" becomes fouled, spin the subject to something positive related to the same subject. Microsoft folks are stretching and spinning so far and so hard this past year they seem to be living in a different universe. But that is just tactical.

    The strategy behind such behavior is "The Big Lie." Repeat the same lie in front of people over time and you'll soon have a few who believe it, and
  • People care about quantity of fixes because of the quantity of bugs and holes.

    If they just had a handful of good quality bugs, careful, deliberate releases of a few good quality patches would be perfectly acceptible.
  • The basic mechanism of MS Update is fragile and prone to break for any number of obscure reasons that MS can't or won't address. Even on MS's own support pages there are innumerable references to the obscure yet popular 'cannot install update' or any number of other vague problems. Often the fix is to record the fix number then root around in the download areas, download them and install them by hand. BTW this doesn't work for many hardware drivers.

    So MS can rollout all fixes they want. As long as they insi

Slashdot Top Deals

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Close