[pca] Solaris 10 Patches Now On Monthly Release Cadence
Laurent Blume
laurent at elanor.org
Wed Oct 16 14:28:27 CEST 2013
On 17/09/13 08:22, Martin Paul wrote:
> See this blog posting from Gerry Haskins:
>
> https://blogs.oracle.com/patch/entry/solaris_10_patches_now_on
>
> I had already wondered as very few Solaris 10 patches have been released
> recently. Obviously yesterday was September's "the Monday closest to
> 17th of each month" (what a specification, impossible to specify that in
> a calendar app), as a bunch of new Solaris 10 patches was released.
>
> I don't see any advantage in "... enables customers to predict patch
> release dates and schedule maintenance windows" - personally I'd prefer
> to get (security) fixes ASAP. Plus, I could always decide on my own when
> to install patches anyway.
It allows them to weasel their way through a loophole of some security
standards, PCI-DSS in my case: those compel you to install security
patches at most 3 months (or 1 for critical ones) after the vendor
*announced it*.
So in Oracle's logic, as long as they don't announce the
vulnerabilities, then they don't exist, and your system is compliant.
That's not a supposition, btw: they actually told me that.
And since I complained about it last year, that we were sometimes
getting patches weeks or months before they announced the corresponding
vulnerability in their CPU, what did they do?
Well, the only logical thing: postpone the delivery of the patches.
It all makes sense in the Oracle Zone, a dimension beyond that which is
known to man.
Laurent
More information about the pca
mailing list