Posts by Doctor Syntax

"The million-row excel file that should have been moved into Access fifteen years ago"

And to a proper database server 14 years and 11 months ago.

Re: Smartware

"It included a database application"

The company was bought by Informix for no good reason except that their (Informix's) then management suffered from a lack of BOFH and openable windows in their offices. They did some work to use Informix as a back end. But only as a back end to the spreadsheet.

"The problem here is the delay between it being actively exploited and KNOWING it's being actively exploited"

No, the problem is submitters providing code to treat the possible symptoms rather than cure the disease - or, if they don't know how, telling someone who does.

"temporarily disabling something to ensure that it can't be exploited, while a full fix is being developed, is a perfectly acceptable security approach"

Disabling in instead of fixing it isn't. What was stopping the submitters of sending in patch to fix the problem instead of hiding it?

"they're unlikely to be reported if no-one can run the affected code."

Except they could be reported by security researchers who think it better to cure the symptoms instead.

"Which would you rather have: a system that doesn't work or can't be trusted?"

It's a false dichotomy. The effort that goes into the break it now fix should go into the fix it properly fix. What I want, and which I expect Linus to provide, because of this approach, is a system that works and can be trusted.

"So why is it right when Linus says effectively the same thing?"

Linus isn't saying the same thing. What he's saying is fix the problem instead of hiding it.

AFAICS what's happening is that the security researchers are sending in patches which will throw an error if a dubious bit of code is hit even if it wouldn't cause a problem in that instance. They're then expecting him to incorporate that code in the kernel tree for the next release.

What he wants is that the code itself is fixed. That can then be backported into older kernel versions* (that, of course, could also be done with the just kill it fix). However the effort that goes into the just kill it patch could either be put into a proper fix by the researcher or, if that's too difficult, into a proper bug report so it can be fixed. Either fix is likely to go into the same kernel release cycle anyway and it's vastly preferable that it's a real fix. If he allowed just kill it fixes in the real fixes are likely to be delayed.

* Linux distributions don't always run the same kernel version. These appeal to different types of user.

Production systems tend to be very conservative with LTS vernel versions and only security fixes made available as kernel updates. Consistency of operation is highly valued.

More adventurous distros exist for those who must have the latest, greatest, coolest toys. These value novelty over consistency and can expect breakages from one release to the next. A release will have the latest kernel available at the time of packaging.

Users who want to test new stuff - equivalent to the Windows Insider Fast Ring can either go for a bleeding edge distro or install RC kernels in other distros.

"But even so; any user who cares about the sanctity of their data probably agrees."

What if the crash the system approach leaves the user with corrupt data?

The effort should go into fixing the root problem.

"What do you do when you biggest issue is PEBCAK?"

The kernel hardening approach would seem to be switching off the computer and removing the keyboard. And maybe the chair.

"I'm not sure what you take from the article but maybe you should read the previous article as well to get some understanding."

Even better, go and read the actual post.

"there are no lessons to learn."

There's one: it can happen to us.

Re: I'm technically under a NDA

"It's not Friday....I don't need mental images like that in my head!"

You do on Fridays?

Re: Really useful article.

"Haven't you been following the whole systemd debate?"

What did you think my comment was about?

Re: Do not run with scissors

"Scripts can be useful, but be careful with them."

Be even more careful just going in there and hacking it by hand.

You should not be relying on them for everyday tasks, or even "every year" tasks, because you're just opening yourself up to problems.

This is just what you should be using them for. As you say, you can get them ratified, check into the source code revision system of your choice or whatever in order to have a repeatable set of operations on which you can rely. For rarely performed operations this is even more important than daily ones.

Effectively you are then doing software development, whether you're a tiny one-man operation or a huge multi-national, and the same standards as you'd expect a software developer to use should apply - testing, verification, dummy-runs, early bail-outs, stop on every error, etc.

Yes. Why would you fly by the seat of your pants doing operations manually when you have this option?

Re: Something missing?

I would also suggest that the differences between scripting an operation and performing it manually is little different from performing it "manually" (on a computer) and actually doing the operations in person.

1. It can be reviewed by yourself and others. That way it can be checked for errors, including typos such as rm -rf ~fred /*

2. It's repeatable. If you have a saved script that was successfully yesterday you know it will perform exactly the same operations today and tomorrow which you might not do yourself if sitting there thinking "Now what did I do next?".

Re: Really useful article.

"For the rest of us, I suspect this is bread and butter stuff."

That's what I thought until I realised it was aimed at Windows admins. However I suspect Linux could be going that way; how else does one explain init scripts as being too difficult?

Re: About time....

"have shared storage"

Genuine question...what's that got to do with a router?

It's something a lot of routers offer these days - stick a USB socket on the side of the router and let the punters plug a thumb drive into it and it appears on the network. The good news is you don't have to use it.

Re: Well...

"A better guide would be a table"

Too complicated for those who just want to look at a single number. How would the likes of Amber choose their ISP?

Re: Use median speeds instead

Silly idea of course, because the adslingers would have to understand what "median" means in the first place

And so would prospective customers.

Re: Not GDPR relevent

"it's not about data protection."

It looks very much like a data protection issue to me.