[H-GEN] Help! How to

[Greg Black]

On 2004-06-16, Peter Arnold wrote:

> Well all indications are that I *should* install the update as it
> addressed a vulnerability in NTLM which is an authentication system we do
> use. However a fix ain't a fix if it breaks something else.

Perhaps it's better to say that the indications are that you
should update your squid installation -- not necessarily via the
vendor's mechanism.

Many people just don't use vendor packages for stuff like this.
For instance, a common rule is never to use such packages for
servers that listen to the external world.  Rather, you can
obtain the source, build it for your own needs with just the
options that you require, add local patches if needed and
install it in your chosen location.  Then you subscribe to the
announcements mailing list or RSS feed to ensure that you learn
about new versions that you might want to install.

You can manage all your local bits with CVS or Subversion or
whatever; just import the new version when it comes out, merge
your options, patches, etc., and re-install.

This way, you don't have to wait on your vendor or rely on your
vendor managing not to break something else you rely on (which
is something that happens very frequently).

"Oh, but I've paid for vendor support, so I want to use it."
That's your choice; but you only get what you pay for and, if it
didn't cost millions, it won't be able to accommodate all the
possible situations.  Yes, it's a pain to have to learn how to
manage the software on your systems -- but it is really the only
way to handle this stuff.

Of course, if you happen to have packages that are only used
internally, then using the vendor's offerings will probably be
fine for those (and that will be most of the software that you
use); but for the outward-facing stuff that the bad guys will be
wanting to leverage, being in control of your destiny means
being on top of the whole configure/build/install scenario.

Cheers, Greg