Derrick's Security Weblog

« What does Open Solar... | Main | Responding to telnet »
pageicon Tuesday Aug 09, 2005

Free security patches - but what does free mean?

Some of you may have noticed a bit of a change on "sunsolve":http://sunsolve.sun.com lately. About a week ago Sun rolled out the newest changes to our main service and support delivery page. Two of the biggest changes from a user experience point have view may have been in the way we provide patches.

In order to get patches for Solaris 10, you need to do 2 things. You must first register and create an account (free) and us must use the Sun Update Manager (also free) to get your patches. The Update Manager makes it easier to manage patches, and includes a command line interface for people who prefer patchadd. Most patches will now require a service contract of some sort. If you‘re giving away the OS, the way you make money is charging for the extra value of service and support (how else would Linux companies be worth anything financially?)

Over the last 6 months or so, I was occasionally in meetings where folks were talking about the new patch delivery mechanisms and entitlement. I got to sound like quite a broken record as I repeated “Security patches must always be free”. The good news is security patches were still free, the bad news is, to some people requiring registration and using the update manager counted as not free.

A number of customer let us know in a hurry that they didn‘t agree with this definition (and frankly, neither do I). In the security world, a free patch is entirely free. Free of charge, free of registration, free of overhead, free of our tools. I‘m happy to report that I was able to make this case and security patches are once again available via HTTP or FTP from sunsolve (just find the patch readme and click the link).

I believe Solaris is one of the most secure Operating Systems on the planet, but even we have security bugs. Everybody, whether a customer or not, is better off when people keep their systems up to date with security patches. Anything we can do to make security patches easy to get and install (you can still install them with the Update Manager if you choose) is a good thing.

Some of our competitors seem to get this, and some don‘t.

Posted at 04:26PM Aug 09, 2005 by drscholl in General  |  Comments[1]

Comments:

I can't for the life of me find a link that can get me a free sunsolve account and thus free access to security or any other patches for Solaris 10... have any pointers? For what it's worth (not much) I strongly believe that vendors should supply security updates for free (registration may be acceptable) All updates would be nice, but I do understand the need for a support model that provides income. It does seem like the "right thing to do", however, to freely distribute flaws that allow folks to do what they aught not. I appreciate any help on finding sec fixes that are indeed freely available.

Posted by Brian on March 26, 2006 at 03:54 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed

« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

Feeds

Search this blog

Links

Weblog menu

Today's referrers

Today's Page Hits: 21