OT: SCO Forum

[Fairlight]

In the relative spacial/temporal region of
Fri, Jun 23, 2006 at 03:21:09PM -0700, Bill Campbell achieved the spontaneous
generation of the following:
> 
> I presume you're talking about 9.0 Professional, not SuSE Linux

Yes, 9.0 Pro.  They still release patches, but I have to wonder when
they'll stop.  There've been so few recent exploits for anything that's on
it that without an official statement it's not possible to tell.

> Enterprise 9 (SLES9).  I suspect that 9.0 Pro is considered obsolete now.  I
> think that Novell is supporting SuSE Linux Enterprise 8 still, which has
> the 2.4 kernels.

Maybe the dropping of SLES8 will be the cue to drop 9.x Pro.

> I haven't looked at the contracts on SuSE Enterprise versions, but I think
> they provide at least 3 year support in theese, including providing updated
> drivers (SLES9 SP3 just came out with full 64 bit support and updated
> hardware drivers).

And more worrisome it's been just about 3 years since those went in.

> I haven't had an problems with the 2.6 kernels in SuSE 9.2 Pro and later
> SuSE releases.  I gave SuSE 9.1 Pro a miss as it was the first of the 2.6
> kernel versions for SuSE.

Didn't say I've had problems with them, I said I'm uncomfortable with them.
Until they hit .18 I'm generally wary of them.  I saw they've hit 2.6.15,
but that doesn't make me feel any better.  2.4.15 wiped out entire
filesystems for many people.  Historically, .18 is when they start staying
relatively static and receiving only security and back-port patches.

If forced, I'd probably take 10.0 now.  Still not happy about apache 2.x
though.  Their cleaning mechanism for CGI processes totally wipes a
well-documented, time-honoured methodology for doing background tasks after
disconnecting the client.  It's impossible to use that mechanism unless you
hack the apache source.  Not that I use it often, and it's not a huge
dealbreaker by itself.  But 2.x was supposed to have a lot more going for
it than ever materialised, and 1.3 is still better in some ways.
Eventually apache will stop releasing that tree though.  :(

> We don't use SuSE's Samba or most of the other server software, preferring
> to use the OpenPKG versions where I have far more control, being one of the
> active OpenPKG developers.

How do you judge whether a dist is ready or not when you're not running a
good percentage of their packages?  :)  Smiley included, and no offense,
but it's an earnest question in the end.

> I haven't seen any major issues on the various Linux mailing lists I read.
> I've installed 10.0 on a few desktop systems, without finding any major
> gotchas.  It installed on my 1999 ThinkPad 600, but I ran into interrupt
> problems which made 32-bit CardBus cards unusable so I'm still running SuSE
> 9.2 Pro on that box.

I'm probably going to "play" with this 10.0 I have access to and if it pans
out, I'll give the recommendation to upgrade around August.  Of course,
10.1 is already out.  *sigh*  Some days I -REALLY- hate the adoption vs
maturity vs EOL graph.  About the time they get one solid enough that
you're comfortable deploying it, it's depricated and 1/3 of the way to EOL.

> Switch to a Mac :-).

Not an option in this environment.  For one thing, fP runs on them.  Even
if there were a port, there's no way they're going to pay just to migrate.

> There was a very interesting article on security issues that questioned the
> value of ``virus'' reports from organizations that depend on Microsoft
> security holes for their existence.  I found the comments on CERT's
> advisories particularly interesting.
> 
> http://software.newsforge.com/article.pl?sid=06/06/06/1832223&from=rss

I'll take a look.  Overall I've personally questioned for years whether
there were antivirus companies that maybe hired overseas crackers to come
up with new exploits to keep the update racket alive.  Call it a conspiracy
theory, but if you look at how that segment of the industry works, it has
to at least give one pause.  And after Enron, I can believe almost
anything's possible.  :)

> >(12) LOW: Sendmail MIME Message Denial-of-Service
> 
> Sendmail is probably as close to a virus as one is likely to find in the
> *NIX community.  When we first connected to the 'Net, my first priority was
> to find a Mail Transport Agent (MTA) that did SMTP and wasn't sendmail.  At
> that time (about 1991) the CERT advisories for sendmail were about the same
> weight as a Manhattan phone book.

Yeah, but those days are LONG past.  I remember that.  I remember the
Morris Worm.  I remember a lot of sendmail issues.  Nowadays it has as few
alerts as Exim, and less than Postfix.  Sendmail got better--and easier to
deal with--since ye olden days when the line noise section was practically
required understanding.

Nowadays, it's PHP you have to watch.  20+ alerts every week about
PHP-based apps, and way too many issues with PHP itself for comfort.  I
haven't seen anything attract that many security-braindead programmers.
I think it's AOL/MS syndrome--so easy to use, everyone thinks they're an
expert...till they get cracked.  Talk about a moving target, too.  They
change the API between not just minor revisions, but patchlevels!  That's
just fundamentally wrong...  I'm not pointing the same finger at fP for
that because 1) they make every effort at backward compatibility, and 2) to
date, their "patchlevel" releases are really equivalent to minor revision
level releases the way they go about them.  They just number things oddly.

> Open the Microsoft Office documents with OpenOffice.org, edit, and return
> them as files in the Portable Document Format.

Not an option, as the party sending it to me sent it for mods and then
needed to make more mods.  I generally not only virus scan them, I look at
them with catdoc to see -roughly- what I'm getting.

And if it was a macro exploit, wouldn't OpenOffice be just as vulnerable, or
did they forego that much compatibility?

mark->