OT: SCO Forum

Bill Campbell bill at celestial.com
Fri Jun 23 16:30:54 PDT 2006 

On Fri, Jun 23, 2006, Fairlight wrote:
>In the relative spacial/temporal region of
>Fri, Jun 23, 2006 at 03:21:09PM -0700, Bill Campbell achieved the spontaneous
>generation of the following:
>> 
>> I presume you're talking about 9.0 Professional, not SuSE Linux
>
>Yes, 9.0 Pro.  They still release patches, but I have to wonder when
>they'll stop.  There've been so few recent exploits for anything that's on
>it that without an official statement it's not possible to tell.

We have a couple of servers here running SuSE 9.0 Professional, one of
which replaced a Pentium 75 Caldera 1.3 system that had been doing our
dialup uucp and HylaFax for the better part of ten years.

The server software on the SuSE 9.0 box is from OpenPKG Release 2.2, the
same as we're running on a FreeBSD 4.8 server, and all essential servers
are the same versions we're running from OpenPKG Release 2.5 on 64-bit
SLES9-SP3 machines.

>> I haven't looked at the contracts on SuSE Enterprise versions, but I think
>> they provide at least 3 year support in theese, including providing updated
>> drivers (SLES9 SP3 just came out with full 64 bit support and updated
>> hardware drivers).
>
>And more worrisome it's been just about 3 years since those went in.

I suspect that the end of the support time is from the time of the next
major SLES release, not the first release.

...
>If forced, I'd probably take 10.0 now.  Still not happy about apache 2.x
>though.  Their cleaning mechanism for CGI processes totally wipes a
>well-documented, time-honoured methodology for doing background tasks after
>disconnecting the client.  It's impossible to use that mechanism unless you
>hack the apache source.  Not that I use it often, and it's not a huge
>dealbreaker by itself.  But 2.x was supposed to have a lot more going for
>it than ever materialised, and 1.3 is still better in some ways.
>Eventually apache will stop releasing that tree though.  :(

We're running apache-1.3.36, and haven't tried apache2 yet.  I generally
avoid the Latest & Greatest(tm) until there's some compelling reason to
switch (e.g. software that requires it).

>> We don't use SuSE's Samba or most of the other server software, preferring
>> to use the OpenPKG versions where I have far more control, being one of the
>> active OpenPKG developers.
>
>How do you judge whether a dist is ready or not when you're not running a
>good percentage of their packages?  :)  Smiley included, and no offense,
>but it's an earnest question in the end.

I don't are about their server packages that we don't use.  One of the main
reasons I moved things to OpenPKG when we made the switch from Caldera
Linux to SuSE was to minimize our dependence on the vendor's packages.

If SuSE Linux became unavailable tomorrow, it would take me a day or so to
get everything running on a different distribution, FreeBSD, or Solaris.

The hardest part of a transition away from SuSE Linux would be redoing the
automatic installations we're doing with autoyast now.

...
>I'm probably going to "play" with this 10.0 I have access to and if it pans
>out, I'll give the recommendation to upgrade around August.  Of course,
>10.1 is already out.  *sigh*  Some days I -REALLY- hate the adoption vs
>maturity vs EOL graph.  About the time they get one solid enough that
>you're comfortable deploying it, it's depricated and 1/3 of the way to EOL.

Again, that's why we're using the OpenPKG server components, and the
Enterprise versions of SuSE.  Keeping up with a new distro every six months
is too much of a PITA.

...
>Nowadays, it's PHP you have to watch.  20+ alerts every week about
>PHP-based apps, and way too many issues with PHP itself for comfort.  I
>haven't seen anything attract that many security-braindead programmers.
>I think it's AOL/MS syndrome--so easy to use, everyone thinks they're an
>expert...till they get cracked.  Talk about a moving target, too.  They
>change the API between not just minor revisions, but patchlevels!  That's
>just fundamentally wrong...

I know just enough php to be able to configure horde/imp/..., and really
don't like the language.  They've taken the worst of perl's syntax, and
obfuscated it by burying it amongst a bunch of HTML.

That type of API changing seems to me to be an indication of lack of
understanding of basic design principles.  The Sleepycat Berkeley database
routines are equally ugly when it comes to changes within revisions and
patchlevels.  Look at the code in the perl or python bsddb routines for
examples of #ifdef hell.

David Korn did a presentation at a Seattle Unix Group meeting several years
ago, talking about the development of AT&T's uwin, a system to provide Unix
capabilities in a MS-Windows environment.  Korn said that one of the major
issues they had to deal with is that Microsoft Windows often has different
APIs, not only between major Windows versions, but between patch levels
within a major version.  The same system call might take different
arguments and/or return different results.

When I took an advanced Samba class from John Terpstra, member of the core
Samba development team and author of the Official Samba 3.0 HowTo and Samba
3.0 by Example, he said that the RPC protocols used in Microsoft's SMB/CIFS
were as bad or worse than Korn's description.

>> Open the Microsoft Office documents with OpenOffice.org, edit, and return
>> them as files in the Portable Document Format.
>
>Not an option, as the party sending it to me sent it for mods and then
>needed to make more mods.  I generally not only virus scan them, I look at
>them with catdoc to see -roughly- what I'm getting.
>
>And if it was a macro exploit, wouldn't OpenOffice be just as vulnerable, or
>did they forego that much compatibility?

I don't know the answer to that as I've never played with Office macros
(the last time I did extensive macro programming was when I wrote Model II
Scripsit macros to take VisiCalc output, and transform it to print on Radio
Shack Daily Report forms :-).

Since I run OpenOffice.org programs on OS X or Linux, I'm not terribly
worried about macro attacks that infect Windows.

Bill
--
INTERNET:   bill at Celestial.COM  Bill Campbell; Celestial Software, LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

If you want government to intervene domestially, you're a liberal.  If you
want government to intervene overseas, you're a conservative.  If you want
government to intervene everywhere, you're a moderate.  If you don't want
government to intervene anywhare, you're an extremist -- Joseph Sobran

More information about the Filepro-list mailing list