Windows Cheaper to Patch Than Open Source?

daria42 writes "Is Windows cheaper to patch than open source software? Of course this Microsoft-commissioned report thinks so - but a number of people disagree, including a key Novell Asia-Pac exec, Paul Kangro. Kangro highlights problems with the report including the fact that it refers to problems faced by administrators before 2003: before significant improvements were made to Linux patching tools. 'We didn't have tools like Xen for Linux then,' says Kangro. 'When I patch my Linux box I don't need to bring it up and down any number of times.' Kangro also points out the report doesn't mention costs associated with rebooting systems after a patch is applied."

Microsoft is working on this

[brontus3927]

Kangro also points out the report doesn't mention costs associated with rebooting systems after a patch is applied.

IIRC, this is one of the things Microsoft is working on for Longhorn, being able to patch and install drivers "on the fly" without a reboot.

With XP SP2, if you enable the automatic downloading of updates, it will restart the computer automatically after teh updates are installed, unless you continuously click cancel when it comes up every 5 minutes. If your not at the computer, but have web downloads going on and it does this, it can be a real pain.

Honestly...

[Philosinfinity]

I may be a bit green to the corporate methods of updating a production OS, but I would think that the process would have to be the same. You have to set up a test environmnet, ensure that the updates produce the necessary results. Then you have to test to make suer that no other software/productivity is affected. Then you have to compare baselines. Regardless of the beginning OS, these steps are necessary.

I can see two potential differences between Windows and Linux on this front, though, and they both seem to favor Linux. First, you don't have to buy a second license to run the test server. I would assume you can get away with this in Windows by not activating the product, but I could see some test phases taking over 30 days. Second, since you basically know excatly what you are updating in Linux, and what other packages are dependant on what you are updating, your testing phase can be more focused. This isn't to say that it would take less time, but rather that you know what is prima facie in the testing order.

So corporate sysadmin geeks out here... where is the advantage in this area to using either os?

Include Reboot Costs

[Jackdaw Rookery]

"Kangro also points out the report doesn't mention costs associated with rebooting systems after a patch is applied."

This is a really underated cost that not many people include or even consider. The environment I work in has a few thousand servers and 130K desktops; all running a mix of 2K, 2003, XP - and other Windows flavors. (Like that's my choice).

The reboots after patching are a major pain, everything needs to be checked and always, and I mean ALWAYS, some servers will fail to come back up.

It's costly stuff...

Re:Xen

[jbgreer]

I wouldn't be too sure about that; I just installed Xen on a box this past week, and the testing branch has been remarkably stable. Have you actually used Xen? That said, I like to think that the poster's larger point is that virtualization technology and its implementations - in VMWare, Xen, etc. have made patch management easier to manage, especially with all of the work going on in migrating apps and OSes. That, to me, will be the real benefit of such work.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Get the facts?

[MoogMan]

Well, lets look at the facts:

@ Both Linux and Windows can be easily configured to auto-update patches.
@ Windows patches are smaller (binary diffs as opposed to full updated packages).
@ However, there are more critical updates to Windows.
@ Windows has SUS [microsoft.com], whereas Linux doesn't seem (excuse me if I'm wrong) to have any kind of distributed patch management for large businesses.

If bandwidth costs (it does), it could well be that Windows easily has less data to transfer for large organisations.

If we're talking about uptime then yes, Linux will be more "cheaper" (better uptime, minimal loss of business) in this respect.

Don't see how...

[Chanc_Gorkon]

I don't see how Windows can be cheaper from a compute cycle standpoint. You lose compute cycles during patches on all systems, it's just with Linux, you lose WAY less. You don't have to reboot. All you have to do is bounce services and your up and going. Microsoft just tells you to reboot because of the nutso way they run things. Even on Windows, you can do things to make reboots unnecessary.

Re:Cost of Rebooting??? LOL

[UnknowingFool]

but any company that is going to lose more than a few pennies from a reboot is going to have redundant servers in place already

I think Kangro was referring to more than lost business but also lost productivity.

In the case of desktops, it's going to be lost productivity. Sure you can schedule them to update and reboot in the middle of the night, but what if the user was working on something? The admins have to spend some time planning and scheduling mass updates or leave it to the user. It's trivial to reboot; it's harder to schedule for many machines so that productivity is minimally affected.

Also your argument only applies to mission critical or production machines. It does not include any development and/or testing machines that may not have a backup. Many organizations do not have the money to have a backup for every non-essential machine.

Our company is installing a new enterprise application. Every time we are rebooting the test servers, our consultants and employees are not working on the app. With new system setups, rebooting a lot is not uncommon.

Re:Reboots

[Anonymous Coward]

You imply that patching unix boxes does not have any service downtime. Particularlly with Java shit, it can take a while to bring a service back up, and that means you need the redundancy.

Not quite, it's not just the OS.

[great_snoopy]

Well, this might be true if you consider just the operating system itself, but it doubt even this. For the begining, let's consider the following : 1). The bare OS (be it linux at a minimal install or windoes) it's mostly unusable except for browsing the web, writing things in notepad or wordpad and a few other minor things. In the real world there are a lot other things you install, from movie players, codecs to complex applications like IDE's, Office suites or business applications. In the end a typical workstation has a bunch of applications NOT included in the OS itself (I'm talking about windows here). 2). Second, Microsoft has the bad habit of counting all applications in a distribution when counting vulnerabilities, so than they can say "look, redhat had 50 security bugs this year, we had only 5". Well, let's take it the microsoft way, and consider all the applications in a distribution. Now, in the linux world a lot of applications are open source and/or supported with patches directly by the vendor (Redhat/Novell-Suse/Debian/Ubuntu,etc). In the windows world on the other hand the whole bunch of installed applications are not controlled by anyone. So, let's consider that 5 of the applications on the system need update (firefox,one office suite, and other applications). The linux way : The distro's update manager signals you that 5 security updates need to be installed. You click on the alert or manually open a terminal and run apt-get upgrade or yum update,etc and you have the system up to date again. The windows way : You go windowsupdate.com where a patch for the kernel is downloaded to prevent a a newly discovered DoS attack, then you launch mozilla firefox, where mozilla firefox's own update manager alerts you that you have to update the browser, then you go to officeupdate and update the office suite, and then you check the following app and learn that you have to download and install the patch manually, and so on for all the 5 apps. No think what happens when there are 20 or more apps to be checked, INCLUDING various supporting libraries that cannot be easily checked automatically and you have to check them one by one and patch them one by one. In the linux world the package manager updates almost anything for you in one move.(With some exceptions, of course). In the windows world, that has not a real update manager/supervisor for the whole list of installed applications, you have to do the updates one by one, by hand because there is no unified windows update manager. So... what way is simpler ? After all, it all comes to the the time required to mantain an IT infrastructure up to date, and windows falls short on this one. And we all know that time is money, right ?

DIY Patch System

[datadriven]

Another factor tht's not considered is that with FOSS products you are free to write your own patch system if you don't find any that meet your needs. With windows you're stuck with what they offer.

Re:Get the facts?

[guruevi]

@Both Linux and Windows can be easily configured to update but
Upgrade any hardware device driver and you have to reboot in Windows
Upgrade your hardware device, do rmmod module and modprobe module (can even be automated). The only way you have to reboot is if you have updated your kernel.

A fully updated mailserver (for about 1000 accounts - 1 processor server load 0.00,0.00,0.00) running Linux here has not been rebooted the last 250 days. The Exchange cluster (also for 1000 users - Exchange can't handle the load on 1 dual xeon server) needs to be rebooted every WEEK for a new upgrade or patch

@An average Linux patch takes about 2kb (a real patch, not a whole new version). Windows patches take at least 1MB.

@I have not seen a whole lot remote exploitable holes in Linux, in Windows there are still being exploits reported by a security scanner after all patches and upgrades applied

@With Linux you have the choice to have any kind of distributed patch management and all countries have at least 1 regional server with the updates for your flavoured distro where you can get at least 300kb/s. With Windows I have to connect daily with my SUS to 1 main Windows server in the United States and download my patches at a mere 50kb/s

XP with SP2 finally solves the patching issue

[NextGaurd]

In a corporate environment (or your home for that matter) you can set WinXP to have automatic updates, install automatically and restart the PC in the middle of the nigh if needed. Combine this with a product like Norton Internet Security that handles viruses and spyware, updating for both at night and running automatically and install firefox and you now have Windows system that the average user can use without maintenance for a year at a time. Linux may match one day but there is no way right now for the typical PC user, home or office.

Re:Well.

[smchris]

OK, well here's a dolt and this issue comes at a perfect time.

I have two Red Hat 9 desktops that I would like to upgrade to Fedora 3. Today. Both are running Win4Lin and I want nVidia video acceleration.

I've downloaded "How to Install Win4Lin on FC3" from a Google search. Prints out to about 2-1/2 pp of 10 point on kernel recompile (and more pages on blog follow-up issues).

But nVidia acceleration is also a patch. But, but, but..... It is my understanding that you don't patch a patched kernel because the patch assumes it is being applied to an unpatched kernel and the patch won't patch. Tried it once on nVidia "custom" install with a Fedora Core 1 Win4Lin patched kernel and the nVidia splash came up, the background came up -- and it locked.

So, undolt me. How do I get the functionality of _multi_-patching linux kernels?

Make sure it is simple. Remember, I'm a dolt.

I'll check back.

Re:apt vs windows update

[Wdomburg]

What seems to work for me in that instance is leaving the dialog open, but dragging it nearly entirely off screen.

You know what bugs the fuck out of me? Windows XP changing the behaviour of the "turn off" option to "download updates". The rare times I actually do boot into Windows only serves as a reminder of why I don't like doing it.

Sure it's cheaper

[Anonymous Coward]

In the average lifetime a Windows user is able to apply 42,195 patches, counting updates for AVG, Spybot, AdAware, etc, and reapplying patches when the OS requires reinstallation. The average Linux user applies only 224 patches in the same number of years. If that isn't proof that Windows is easier patch, I don't know what is.

Re:Not exactly objective....

[einhverfr]

for a in `cat machine-list.txt`
do ssh "root@$a" apt-get update
done

How hard is that?

Re:OT: Your sig

[caluml]

Erm, I think that it is you who might need to check :) Iana isn't down. The IP address of www.iana.org is 192.0.34.162 - I suspect that you have an interface configured with 192.168.0.2 netmask 255.0.0.0 or something like that. Or a dodgy route.