LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Patching is bad!

Patching is bad!

Posted Jan 30, 2003 9:26 UTC (Thu) by libra (guest, #2515)
Parent article: A look at the MS-SQL worm

For my part I'm totally opposed to the idea of using patch. If I use a patch when installing a product that means that I have installed something that is bad a one time during the process. Certainly among the SQL-server that where infected some where installed less than 6 month ago, but from an incorrect cdrom which is anyway the reference cdrom for such an installation.

On this topic the big difference here between proprietary programs and open-source programs is that during the first install with open-source you can immediatly install the right version (at the time of installation). With patches on proprietary programs you must first install something buggy, and then try to correct it, and that gives far less predictible results in the end, and a lot more work too.

Of course one can argue that when there is a bug in some open-source program there is also a requirement for applying some correction, put it is not a patch, with a rpm or whatever other method you can update : that is completely replace what has become wrong by something completely good. And the next time if you want to install the product you won't have to install the bad one before the good one if you want.

Really patches are hawfull things, what we need is software without bugs, and with proprietary software it is difficult because vendors don't want to offer "prepatched" (that is corrected) version of their products by fear some people would download them without licenses. I let you appreciate the absurdity of this situation.

For those having an MSDN at hand just count the number of "product cdrom" against "patches cdrom" in the server section. You will discover that Microsoft offers a lot more patches than real (usefull?) products. Finally you may understand that the commercial offer of Microsoft is bigger on the front of bugs than on the front of business. I hope you will enjoy this revelation.

(Log in to post comments)

Patching is bad!

Posted Jan 30, 2003 11:22 UTC (Thu) by NAR (subscriber, #1313) [Link]

I have installed something that is bad a one time during the process.

I think, it is more a joke, than a real issue. First of all, a really really really paranoid administrator can first deconnect the machine from the network, install the original ("flawed") version, then install the patch, then reconnect the machine, so in this case, the flawed version is not exposed to malicious user at all. Secondly, (at least our) costumers do get upgrades, not patches, even though our products are proprietary. And least, but not least, who cares (except you:-), if you install a patch, or install an upgrade? The end result, the exposure time to attacks, etc. are the exactly same.

Bye,NAR

Patching is bad!

Posted Jan 30, 2003 15:48 UTC (Thu) by libra (guest, #2515) [Link]

Obviously you have never seen a system dll badly replaced during a patch because another process locks it, or it has been duplicated in the dllcache, or whatever other nasty trick.
I've seen such things happen already. But I must say that it tends to happen more often with Microsoft products than other products develloped for Windows (except those of Microsoft partners). Maybe because they know Windows too well to use common sense when making a development.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds