[Asterisk-Users] Fedora Core 3 or Fedora Core 4? yum update ornot?

Tzafrir Cohen tzafrir at cohens.org.il
Fri Feb 10 01:30:38 MST 2006


On Wed, Feb 08, 2006 at 10:20:43AM +0000, Jens Vagelpohl wrote:
> 
> On 8 Feb 2006, at 09:43, JP Carballo wrote:
> 
> >Alex Barnes wrote:
> >
> >>I think the "once it's working, leave it alone" advice is very sound
> >>indeed :)
> >>
> >>
> >A similar rule says "If it ain't broke, don't fix it."
> 
> Until you realize some script kiddie has exploited another Apache/ 
> mod_ssl bug and is now remote-controlling your box.
> 
> There are no hard and fast recipes here. Neither the "automatically  
> apply any and all updates" nor the "build and never look at it again"- 
> policies should be applied without taking the specific situation into  
> account.
> 
> If your box is on the internet you simply cannot forego updates.  
> Period. If your box is completely walled off from the internet you  
> can be lax about it (unless you have to worry about attacks from the  
> inside).

If the box does voip then it is on a network. And thus an explotable
target.

You should also make it not trivial for an attacker to gain root even
after some successful exploit, if possible.

> 
> The best policy is probably one that is halfway between the two.  
> There are packages you only ever want to update "under parental  
> supervision", like kernels. Then there are packages where you want to  
> grab any update you can get ASAP, like Apache, or PHP, or SSH. Yum  
> allows you to express this in its configuration, you can exclude  
> packages from the automatic update.

But first and formost, pick a distro on which you could trust to provide
relieble updates that don't break. If you can't rely on the distro for
apache, PHP, SSH and the kernel, you'll end up with a broken config.

I assume that this is not the only box you'll have to maintain. And that
you'll have better things to do than watchig bugtraq all day long.

> 
> I personally run a nightly script that uses yum to determine if there  
> are updates. I apply them by hand. However, this is only feasible  
> because it runs on just two machines.

Not sure about other distros. On $MY_DISTRO there is a package to run
that automatically. Which is kind of expected because enough people have
come to rely on the updates to apply the automatically.

The least you should do is to download al the updates automaically, to
mak th time required for applying them minimal.

-- 
Tzafrir Cohen         | tzafrir at jbr.cohens.org.il | VIM is
http://tzafrir.org.il |                           | a Mutt's  
tzafrir at cohens.org.il |                           |  best
ICQ# 16849755         |                           | friend




More information about the asterisk-users mailing list