Windows Cheaper to Patch Than Open Source?

daria42 writes "Is Windows cheaper to patch than open source software? Of course this Microsoft-commissioned report thinks so - but a number of people disagree, including a key Novell Asia-Pac exec, Paul Kangro. Kangro highlights problems with the report including the fact that it refers to problems faced by administrators before 2003: before significant improvements were made to Linux patching tools. 'We didn't have tools like Xen for Linux then,' says Kangro. 'When I patch my Linux box I don't need to bring it up and down any number of times.' Kangro also points out the report doesn't mention costs associated with rebooting systems after a patch is applied."

Well.

[Sierpinski]

It might be easier if you have no idea how to really use a computer, and are not willing to learn. Those people will never leave the "comfort" of a familiar thing. They fear change, especially when it forces them to actually think for themselves.

Not exactly objective....

[Anonymous Coward]

So microsoft says windows is cheaper to patch, whereas Novell (who own Suse) say linux is cheaper to patch.

Can someone tell me why this is news?

Re:Well.

[psiphre]

how the shit is this redundant, mods? It was the first non-troll post.

Cheaper, maybe...

[mph_az]

...but only if you don't count the hours of lost or reduced productivity waiting for MS to get around to releasing their patches.

Cost of Rebooting??? LOL

[Foolomon]

Kangro also points out the report doesn't mention costs associated with rebooting systems after a patch is applied.

I didn't RTFA but any company that is going to lose more than a few pennies from a reboot is going to have redundant servers in place already. It is not difficult to stagger the application of patches to server machines in a farm, which all but eliminates the cost of a reboot.

Anything from Novell that is spoken against Microsoft is suspect anyway. I'm not a big Microsoft fan, but the animosity between the two companies is well documented.

Flawed

[republican gourd]

Any company where the majority of the cost is in the patching process itself, rather than the testing of the patch, the secondary servers in the test lab that they can make sure it doesn't blow services up on, the payment of skilled people to identify the problems and fix them *when* they happen and various other people costs is of course going to be more expensive than "I set up windows updates once, so now it updates me magically whether I like it or not", even without the reboot thing.

There is also some really iffy logic in breaking down one single piece of the ownership cycle and claiming that it is cheaper and ignoring the rest. I tell you, paying for college for my persistently vegetative child is uber-cheap, I can't say enough for persistent vegetation...

Re:Well.

[Soybean47]

It might be easier if you have no idea how to really use a computer, and are not willing to learn.

If they're talking about the "cost of patching," they're talking about large corporations. Large corporations have people in charge of IT who, we hope, have some idea how to use a computer. ;)

It really doesn't take much to patch most new-ish linux systems.

emerge sync && emerge -uD world

is probably one of the most complicated, and that's all there is too it.

Reboots

[Nytewynd]

The cost of rebooting on some machines is astronomical. I know we had some management software on a data line connected to the stock exchange. From the hours of 8-5 any downtime would cost over $10k/second, not to mention any lawsuits that could have been processed if someone lost money and couldn't sell their stocks when they wanted. On the other hand, most machines are not nearly that critical, and reboots can be done at off hours. I would say that Windows systems are less costly to patch for another reason. Almost anyone with technical ability can patch windows. You can hire windows admins on the cheap. To get Unix admins will cost more if you want someone that knows what they are doing. I wonder if they take the cost of knowledgable staff into the equation. Otherwise, the cost of patching for either can be huge or trivial depending on the patch and the situation. Also, Windows is a lot better now with the reboots. You don't have to reboot nearly as much as in the past.

Re:Reboots

[zr-rifle]

Well, to avoid the rebooting problems you need redundacy - load balancing, etc - which obviously costs money. That means higher TCO than on *NIX, which fares better and is generally safer with less "armor".

Re:apt vs windows update

[xmodem_and_rommon]

no i wouldn't. I'd consider it a good thing that users of microsoft products have one easy place to go for patching all their software.

Now if microsoft used windows update to replace products on consumers' machines with microsoft alternatives, THEN i would be screaming MONOPOLY at the top of my lungs. But fortunately not even they are that stupid.

Re:Cost of Rebooting??? Don't LOL me!

[Tsu Dho Nimh]

"any company that is going to lose more than a few pennies from a reboot is going to have redundant servers in place already. It is not difficult to stagger the application of patches to server machines in a farm, which all but eliminates the cost of a reboot."

How about desk-bound employees and their patches? Don't we count?

I use a lot of non-MSFT apps, and if one of them fails to work with the patched Windows system, I'm goung to lose a lot of time. I've already had one "security patch" to something do wierd things to my system, making it impossible for me to see the hard drive password prompt. Multiple that by every laptop in the company and you have a lot of support calls.

Another "security patch" seems to have hosed the network finder so that it can't automatically pick up a new IP address from the LAN. I have to manually change the settings and ..... guess what? REBOOT to force it to pick up the new IP address. Every time I have to log on from home, that's TWO reboots and two manual interventions to what should be automatically happening.

emerge -uDN world

[Bazzalisk]

does windows have en equivalent? I think not.

A point we often miss

[rbanffy]

We, Unixers, usually miss the point that, while we don't have to reboot the whole computer at each and every important patch, we have to bring services down and then back up when they are significantly patched. For a database server it's not the system uptime that counts - it's the database uptime. If it goes down, I could as well have rebooted the whole server - the phone will ring just the same.

While this is a whole lot better than Windows, they are getting closer.

And... Well... The fact it was paid by Microsoft says nothing about the report. I sure would like to see the other reports paid by Microsoft that say FOSS is cheaper, more reliable, more ethical and that are tucked away somewhere in a folder marked "secret"

Microsoft is getting desperate

[QuietLagoon]

When Microsoft continues to fund these highly biased reports and surveys, the Open Source community should be happy. It means that Microsoft considers Open Source to be a real competitor. In effect, Microsoft is doing more to validate Open Source and increase the visibility of Open Source than anyone could hope for.

Re:apt vs windows update

[Oestergaard]

The cool thing about stable debian is, that it *doesn't* upgrade to the latest version of all the software.

It just installs security updates.

That way, I don't need to worry about database upgrades, configuration file changes, API/protocol changes etc. etc. etc. Everything that ran before, runs afterwards, unchanged.

*that* is cool. If you're running production servers in the real world at least :)

Re:apt vs windows update

[I confirm I'm not a]

Yeah, because it would be better if it didn't remind you and you left your system unpatched.

No, it would be better if it [Windows Update] reminded me once and then respected my decision.

Re:A point we often miss

[joto]

For a database server it's not the system uptime that counts - it's the database uptime. If it goes down, I could as well have rebooted the whole server - the phone will ring just the same.

Except that rebooting a computer takes around 2 minutes (maybe more if it's a heavy server. Restarting the DBMS (which is already cached in RAM, remember) should take less than a second. If you get phone calls then, just pretend you went to the loo for a minute and wait for it to calm down :-)

Re:A point we often miss

[Peeteriz]

Well, the point is that on Unix machines you don't have to bring down your database system to install a security fix for a webbrowser.

Re:apt vs windows update

[GIL_Dude]

Never having used Debian, and being a bit of a noob on Linux (although I used to admin HP-UX a long time back), I don't seem to have it as easy as you do for updates.

I'm using Suse 9.2, and while the auto-updates in YaSt seem to work very well and only occasionaly ask for a reboot, they don't update things like Firefox with any patches I can see at all. I wanted to go from the included beta release to the 1.01 awhile back and had the damndest time installing it to somewhere where I could find it and run it. (I admit, it gets easier as I get used to it). However, I think just clicking on the EXE in Windows and having the newer firefox install run is a hell of a lot easier; it's less steps even for people who are experts.

For the things that Windows Update does patch (Windows, Exchange, SQL, Office, etc. shortly as they are almost ready to release from Beta the Microsoft Update) it does pretty well - but lots of reboots.

As I mentioned on my Suse - YaSt does well, and rarely has me reboot (I think twice so far).

But, the thing is - patching stuff like GIMP, Firefox, etc. doesn't seem to be as automatic and easy under Linux as it does under Windows. Hell, I was running PaperPort on my Wife's Windows machine the other night and it automatically updated itself to 10SP1. Until more of the FOSS ones can do that, I think patching of applications outside of the OS is easier on Windows than on Linux.

Uh huh

[Colin Smith]

Sorry but this stuff is particularly trivial, patching 10, 100 or 1000 machines.

e.g.
echo 'ALL:root: 15 18 * * * /afs/admin/scripts/patchme' >> /etc/crontab.master

Where the crontabs are centrally managed, patchme checks for resources, goes to sleep for a while, runs OS, platform and rev specific patch download and install subroutines which run yum update, apt-get update, patchadd, rpm -Uvh etc. Report progress to a central monitoring system like Big Brother or Zabbix as the patching process runs through the various stages.

Even talking about the cost of the patching process itself is missing the point. Anyone who has a lot of machines will already have a largely automated enterprise wide cross platform patching system in place. Applying a specific patch will be a case of dropping a pre-tested file into a directory on a file server. If you don't have such a system WTF are you doing wasting your time on Slashdot?

troll bait

[alumshubby]

I wish I could mod this entire article (-1, Troll) -- it's like shooting fish in a barrel.

Re:apt vs windows update

[kayak334]

If you're in the middle of running a test, I don't see how the "reboot now/later" box is bothering you. If you're crafting a test, you can save and reboot.

Sorry, I know that it can be a pain sometimes, and I'm not trying to poke you and tell you how/when to reboot. Maybe a better solution would be for Windows to pop the window up every 10min, but don't give it focus.

Story? Please?

[NemosomeN]

Why is this a story? I mean seriously. These TCO articles come out all of the time, and they are bullshit all of the time. Don't we already know this? Does anyone with half a brain pay attention to these "studies"? There's nothing we can do to stop them, and we only discredit them here... Where everyone knows they are bullshit. It doesn't even have anything to do with some prejudice against Microsoft. Any company will bs their way to more sales. Welcome to life, people.

Re:apt vs windows update

[I confirm I'm not a]

So you're complaining that you chose to install the patch that required a reboot? Why didn't you wait until after you completed whatever critical work you had to do? User makes choice. User doesn't like consequence. User blames vendor. Sigh.

To a certain extent. I made the decision the night before, but wasn't prompted to reboot when I arrived back in the morning. It wasn't until I'd started work - on something that, naturally!, couldn't wait - that the popups started. I *do* blame the vendor for creating a system that doesn't respect my choice: "no, I don't wish to reboot now". That should be it, end of story (leaving aside the "why does the bloody thing *need* to reboot when every other box I' involved with seems to manage an update without this degree of hand-holding).

Re:XP with SP2 finally solves the patching issue

[blane.bramble]

In most corporate environments you would not be allowed to set automatic updates on. The last thing the corporate IT department would want is for an automatically installed patch to break existing systems.

Re:apt vs windows update

[SomeoneGotMyNick]

3) Choose 'Download updates for me, but let me choose when to install them.' (this was the default, by the way!)

Still doesn't explain why my choices are all ghosted out, while logged in as administrator. If grandma even got this far to change the settings, what would she do next? Also, your default selection wasn't the selected item on my screen.

teach grandma how to get her syntax exactly right at the command prompt. That's much better.

A lot of Grandmothers were skilled at typing. After all, keyboards were around long before they were on computers. Spell checks weren't available to save them from mistyping what they read. The Post-It apt-get instructions on the monitor would be followed verbatim.

Report might be right. Don't ignore the problem...

[Saeed al-Sahaf]

'When I patch my Linux box I don't need to bring it up and down any number of times.'

Sure this is an inconvenience, but (still) overrated. It's just not a major issue to reboot a machine. Word. Move on.

What continues to be a major road block to widespread adoption of Linux by the masses is not just patching, but just installing applications at all. It just can not be said with a straight face that installing patches or an application on Linux is as easy as with Windows for average computer users. There are just way too many pitfalls that can trap a user in hours and days of searching for strange dependencies and other things. And a smooth GUI installer....

Re:Get the facts?

[spongman]

Upgrade any hardware device driver and you have to reboot in Windows

This isn't generally true. Windows doesn't require a reboot after a driver update. However, many driver writers are lazy and don't take the time to implement in-place upgrades for their drivers.

Re:Well.

[caluml]

how the shit is this redundant, mods?

Redundant doesn't just mean untimely - it also means unnecessary, useless, of no added value. So the first post, if it simply repeated things from the story would be redundant. Find a dictionary, and read it sometime.

Re:Well ... Insightful? Hammer geeks unite !

[fygment]

How arrogant!

a) Nothing in the report suggests the users 'have no idea how to really use a computer';

b) Nothing in the report remotely suggests anyone is not willing to learn how to use a computer;

c) Everything suggests that people do think. The thinking might be along the lines of: "My computer is a tool. Do I really need to know how to fiddle endlessly setting up the tool?"

Why is it that there is no questioning buying precooked food, taking appliances and vehicles to repair shops for the simplest of servicing, or the persistent use of a favoured carpentry tool because it's 'done the job fine for x years'. And yet when someone treats a computer simply as the tool it should be, they are branded 'fearful of change' and 'unthinking'?

What would you think if there were hammer geeks who spent endless amounts of time refining, modding, and configuring their hammers? Geeks who felt that only unthinking losers wouldn't change their hammers every six months. Geeks that felt it a pathetic display of ignorance that someone would not take the time to know their hammer intimately. Geeks that could endlessly debate shaft lengths, handle materials, and head geometry. In all likelihood, there would be a very large body of people who would think, 'It's a fscking hammer. I don't want to be a craftsman or hammer designer. If the thing don't hammer simply, it's of no use to me.'

Re:Well.

[xenotrout]

If you're stuck in dependency hell (can't find dependencies?), your package system is probably out of date. If installing a dependency resolver causes another dependency hell, I would recommend you back up your configs and data, make a list of what you installed, and start again with a distro that automatically resolves dependencies. Debian and Gentoo both do this. Ubuntu and other Debian-based distros do it. I think the latest versions of the popular RPM-based distros (Redhat, Mandriva, etc.) do this as well.

A Truce?

[suwain_2]

Can Slashdot concede that Microsoft-funded studies will come out in favor of Windows being better, and that some non-Microsoft-funded studied will come out in favor of Linux, and stop wasting our time with this banter?

Re:Well.

[Wdomburg]

People who refuse to use package updates because of "dependency issues" are usually using them incorrectly. Package managers do not create dependencies, they record and enforce them.

Used properly, a package system is a solution, not a problem. When I want to install something I don't even consider dependencies, I simply type "up2date " and it pulls in everything that package needs and installs them in the proper order.

The only real downside is that third party packages are often poorly created. Failure to follow platform conventions (e.g. paths) is the most common "sin". Ultimately I think user oriented distributions need to settle on a more reasonable release schedule. The ridiculously short cycle of Fedora (4-6 months) is way too volitile and really hinders any meaningful packaging effort, and the glacial cycle of Debian (almost 3 years since the last major update) precludes support for modern desktop packages. As the major desktop technologies (Gnome, KDE, Mozilla, etc) mature, this should help to rationalize distribution release cycles as well.

The most common end user mistake, in my experience, is circumventing the package manager - forcing packages, ignoring dependencies, installing from tarball, etc - and then wondering why it doesn't work. To some degree it's understandable. There is plenty of cool software out there that's simply unavailable without building from scratch, and a lot of the people who try Linux are curious and want to explore the cutting edge. But it should never be forgotten than on the cutting edge things break. A lot. Sometimes dramatically. If you want stability and predictability, you simply have to wait until the bugs are ironed out and things are neatened up for "mass market" distribution.

Re:Report might be right. Don't ignore the problem

[Anonymous Coward]

oh fuck off... It's as obvious as the nose on my face that you haven't seen a Linux distribution in operation since 1999... things have come a long, long way since those dark, dark days...

oh and by the way... it is a major issue to have to keep rebooting a machine

Installing Is Hard On Windows

[EXTomar]

Windows installers are nightmares on the enterprise level. Too many dialogs that feature settings that should have been issued on a command line. Too many dialogs with non-installation information. (Hello?...EULA/README SHOULD BE HANDLED IN THE APPLICATION!!) These two create a situation where if you are going to install a piece of software on more than a handful of machines you really wish they had a silent install. More often than not you are stuck babysitting installs blindly clicking "Yes"s and "Okay"s and "Next"s. Yay for the TCO.

A "sin" Microsoft cultavated along time ago is confusing "installing" and "configuration" together. If you tie both of these process together it makes support murky. Did the installation fail to place files or did it mess up setting some value somewhere? Installers should be concerned with tracking/placing software components. Programs should be concerned with configuration. Because of MS including this level of complexity it also had the side effect of making it hard for a user to inspect packages before installing. There is no way for a desktop user to find out what a MSI package provides, what it requires, etc before installation. Another side effect is that people writting installers are often forced to package all depedancies with their application instead of making seemless stacking installs.

Making a Windows installer actually enforce component dependancies suffers from the same "DLL Hell" type problem that has plagued Windows forever. Most installations are written loosely: you can uninstall CompA which ProgramB depends upon and the system happily complies.

With all of that said, Windows installers are bad. Linux and other Unix-like systems are okay but they are more interested in software integraty than ease of use. You can't beat Mac: Drag a folder into the apps folder and its installed, take it out of the folder to uninstall it. At this point I can't imagine why anyone would any system to be more like Windows.

Re:Well ... Insightful? Hammer geeks unite !

[halber_mensch]

What would you think if there were hammer geeks who spent endless amounts of time refining, modding, and configuring their hammers? Geeks who felt that only unthinking losers wouldn't change their hammers every six months. Geeks that felt it a pathetic display of ignorance that someone would not take the time to know their hammer intimately. Geeks that could endlessly debate shaft lengths, handle materials, and head geometry. In all likelihood, there would be a very large body of people who would think, 'It's a fscking hammer. I don't want to be a craftsman or hammer designer. If the thing don't hammer simply, it's of no use to me.'

Your analogy is a bit skewed. A hammer doesn't exactly have the same power in society as a computer. A hammer can't communicate with another hammer. A hammer doesn't hold bank records or social security numbers or credit card accounts. A hammer doesn't spread hammer viruses that allow other hammer users to steal that information. A geek hammer user doesn't use his hammer skills to exploit the weaknesses of your hammer to break into it.

Your car is a decent analogy to a computer, but as you pointed out most people simply dump it into someone else's lap when something "don't work" - that's why so many people drive broken down heaps, or constantly have their vehicles in the shop, or destroy their engines from years of unmaintained use. A person that never bothered to understand that their car needs brake maintenance will only figure it out when their brakes finally go and they careen into another car. But also those who change their own oil, perform tune-ups themselves, and know How Their Car Works tend to drive well-running vehicles that are not road hazards. It's called responsible ownership. Could you argue that awareness of the care and maintenance of a car is an undesirable thing?

You legally are required to have a license to drive a car. If it's simply a tool, why would that be? Why should you have to intimately know the operation of driving a tool? Well, it's a powerful tool. It's also a dangerous tool. You can cause massive amounts of damage with a car because of its power. An idiot driver that doesn't signal before merging on the highway can cause multi-car wrecks. People cause fatalities by running stop lights and stop signs. Similarly, a person with a computer that doesn't care to understand the need for its security quickly becomes a zombie node in massive DoS attacks on other systems. These cost network providers untold sums of money in downtime and customer dissatisfaction. In some cases it allows their personal information to be stolen, just as if they were to keep their bank records in their cars without locking the doors - or their windows were smashed out and the records taken. Do you see the relationship here? The power that computers and global internetworking have given us must be taken with some measure of responsibility for the technology to be safe. Ignorance is not something to take pride or comfort in - there is no reason that computer users should not be more aware of their computers and how to properly maintain them.

Oh, and the hammer geeks that you mentioned are the reason why we have progressed from hand rocks, animal bones, and tree stumps to clawhammers, ball peen hammers, plastic and rubber mallets, and sledgehammers.

Re:apt vs windows update

[cptgrudge]

Wait, they're all ghosted out!! And I'm logged in as an Administrator.

Maybe they are ghosted out because your sysadmin at work doesn't want you messing with them? Even if you are a local admin of your machine the options can be unavailable.

With a combination of Active Directory settings and SUS, you get some measure of automated patching, without any interaction (interference?) from end users. Maybe this is your situation if this is your work computer. If so, someone else is taking care of it, don't worry too much.

Re:apt vs windows update

[Crudely_Indecent]

Definately better, though, to teach grandma how to get her syntax exactly right at the command prompt.

Right, 'emerge sync; emerge -u world' is complex syntax. Or, better yet, don't tell grandma anything, make it a cron job. Even better yet, get grandma a PDA capable of sending email and solitaire. Better still ANSWER THE PHONE WHEN SHE CALLS, she won't be around forever and can't type that fast. Shouldn't you spend more time talking to grandma?

I'm praying for the day my data-processing business gains some momentum and I can quit my network admin job. I will truely enjoy telling those who ask for my help "sorry, I don't do windows. Have you contacted the manufacturer?"

That brings me to another beef I have with windows. There are far to many people who consider themselves 'network administrators' just because they know what PC stands for. I can't tell you how disgusted I get when I get a phone call from one of my customers who says "I'm the network administrator and I've got a system with a 169.254.x.x address....what's wrong with your network?" They seem so confused when I tell them their network cable is unplugged and that my responsibility ends where the T1 cable connects to their router.

The problem is idiots at the console. Pure and simple, evil idiots sent from the planet omicron percei 8 to disrupt my harmoneous network and make my phone ring. It is, of course, my fault because my servers run Linux. Nevermind that my servers have been running through their previous 5 system-restores and 300 days before that.

The last time I vented about windows idiots got my message modded to 'troll.' For those of you who successfully run windows and never call tech support because you can handle it yourself, I applaud you. You are far more tolerant than I. For the rest, to hell with you if you can't take ridicule. In real life, I'm better than you. My karma can take anything you think you can dish out.