Very Computer

Hi everyone,

Just a note that if you are upgrading to Solaris 10, and you want full access
to all recommended and security patches for the new OS, you have to buy a
'service plan' from Sun if you don't have any other existing maintenance or
service contract. There is an announcment about the change linked from the main
SunSolve page at "http://sunsolve.sun.com". Sun's also changed the terminology
to sound like like Microsoft (!), so patches are now 'software updates'. 8-)

I just had a look now and the cheapest service plan is US$120 a year and they
are basing the pricing on the number of processors you use (which are called
'sockets'), so for a typical dual-CPU system like an Ultra 60, the minimium
service plan price is US$240 for one year or just over US$600 for an extended
3-year plan! Ouch.

If you don't have a service plan the only patches you can download for free are
security and hardware driver updates! That probably won't bother grass-roots
users (students, non-profit businesses, educators, etc.) but it will affect
small buiness significantly.

The new policy is more restrictive than the previous policy under which Sun
made recommended and security patch kits available for free to everyone. Do you
think this will turn a LOT of end-users away from Solaris (and Sun's hardware
in general)? I tend think that it will - especially small businesses, etc.
It'll put Solaris only in the market for medium to large enterprises and other
segments are likely to skip Solaris in favour of an open-source Linux of *BSD
OS. Particularly since Sun is now favouring Opteron-based hardware designs and
effectively building 'Sun-badged PC-type' workstations and lower-end servers.

Regards,

Craig.

--
  SUN RIPENED KERNELS - Surplus Sun Microsystems Equipment, Parts + Accessories
     Waterfall, NSW, Australia - Operated by Craig Dewick - Founded in 1996
Main site: www.sunrk.com.au - Ebay Shop: www.ebayshops.com.au/sunripenedkernels
   Ph: +612-9520-2547 - Fax: +612-9520-2557 - Mobile: 04-2163-0547 (int. +614)

--
int main(){int O=0,s[]={0x84,0xe4,0xea,0xdc,0xde,0100,0xa6,'\\'\
,0100,0x88,0xca,0xd8,0xc4,0xde,0xdc,0xde,0100,0xf8,0100,0170,0x\
c4,0xe4,0xea,0xdc,0xde,'\\',0xe6,'\\',0xc8,0xca,0xd8,0xc4,0xde,\
0xdc,0xde,0x80,0xda,0xc2,0xd2,0xd8,'\\',0xc2,0xc6,0174,0100,0xf\
8,0100,0xd0,0xe8,0xe8,0xe0,0164,0136,0136,0xee,0xee,0xee,'\\',0\
xda,0xc2,0xd2,0xd8,'\\',0xc2,0xc6,0x0};while(O<66){(s[O]==0)?pr\
intf("%c\n",(47<<2)>>2):printf("%c",s[O]>>1);++O;}return s[--O]\
;}

Quote:>> I tend think that it will -
>> especially small businesses, etc.

*BSD is another matter I would accept. When I installed that in the dim
and distant past it was clear nothing was enabled for security reasons.
You would soon spend the equivalent cost of a low-end support contract
in configuring a usable system for desktop use.

Quote:>> It'll put Solaris only in the market
>> for medium to large enterprises and other segments are likely to skip
>> Solaris in favour of an open-source Linux of *BSD OS.

Quote:> I agree. Most companies who run Solaris, would buy support anyways...I
> think sun should allow another category for hobbyists.

Sun Studio 11 is free, which is a real bonus.

Given a choice, (free Sun Studio 11 or free patches) I know what I would
take. How about you?

If you conclude the free compiler is the better than the free patches
and you used Solaris before, I think you will have to agree it is even
better value now. (At least on SPARC. For x86 there is obviously gcc
which works better on x86 than it does on SPARC)

The real killer cost with Solaris for me would have been drivers for my
GPIB board. They are free for Linux, but about 400 for Solaris. That
was a third party (National Instruments) not Sun though.

Lots of 3rd party commercial software is more expensive on Solaris than
Linux, but you can't blame Sun.

PS, why are people now copying posts to the UK and Australian Sun
newsgroups? I would expect people in those countries (like myself in the
UK) would look at comp.sys.sun.admin and comp.unix.solaris. The national
ones should really be for items specific to those countries.
--
Dave K

http://www.southminster-branch-line.org.uk/

Please note my email address changes periodically to avoid spam.

for a couple of months only. Later set it manually. The month is
always written in 3 letters (e.g. Jan, not January etc)

If you *need* compiler better than gcc, then Sun Studio 11 being free is
definitely a better deal than patches being free, though...

   - Logan

Ian

Quote:> The new policy is more restrictive than the previous policy under which
Sun
> made recommended and security patch kits available for free to everyone.
Do you
> think this will turn a LOT of end-users away from Solaris (and Sun's
hardware
> in general)? I tend think that it will - especially small businesses, etc.
> It'll put Solaris only in the market for medium to large enterprises and
other
> segments are likely to skip Solaris in favour of an open-source Linux of
*BSD
> OS. Particularly since Sun is now favouring Opteron-based hardware designs
and
> effectively building 'Sun-badged PC-type' workstations and lower-end

It's really quite simple. Either you run an "open source" OS on your
systems, or you run a "commercial" OS on your systems.

If you run an open source one, then you get to manage, patch, upgrade, etc.
as one would any other open source system. Which means relying on community
based toolsets and systems to aggregate and provide those kinds of services.

If you run a commercial system, then you get to rely on your vendor, most of
whom want to be paid for such services.

Solaris is in the state now. You can use OpenSolaris, you can download
Solaris Express, you can build based on source code snapshots, etc. No doubt
in time perhaps someone like Blastwave will have a patching service of their
own to make incremental upgrades, much like what Sun does now (in fact, even
using the same tools, but rather providing a different URL, who knows).

That's why Sun feels they can do what they're doing. You have all the
options available to any other OpenSolaris user, or in fact, any Linux or
BSD user. The downside is OpenSolaris is not yet as mature as BSD and Linux
in terms of community support and infrastructure, having been reliant on Sun
all this time. Well, that tap is turned off.

On the other hand, if you'd like to leverage Suns offereings, you need to
pay them. Their prices are pretty darn cheap. They MUCH cheaper than Red
Hat, which offers pretty much the same services, but you can't get an
"update only" offering like Suns. Red Hat basically dings you for a 4-CPU
machine whether your running 1, 2, or 4 CPUs. Suns will scale with the
socket. Run it on a Dual Core Opteron and pony up the $10/month and giggle
all the way to the bank.

If you find Suns prices too high, feel free to create "sunhat.com",
aggregate the patches, deploy the servers, pay for the bandwidth and power,
and offer it to the community.

I really don't understand what people were expecting here, or why they're
surprised, or, nay, even disappointed by this. What did you expect Sun to
do?

Regards,

Will Hartung

Even as a home user, it will still probably be worth it to me to get the
cheapest service plan.  It would be nice if it were half price for home
users or something, though.   $10/month for patches is a little steep,
in my opinion...

   - Logan

People also seem to be forgetting that the quarterly (or so) updates,
which include just about all patches, are also free.

So people like me (hobbysists), students, small businesses who can't/
don't want to afford a service contract can use the Update releases
of Solaris for $0.  Solaris Express is also a $0 option, but given its
pre-release status, ought not to be deployed in production.

For commercial interests, for whom having timeley access to the latest
patches is an issue, support contracts are the way to go.

Yeah, it would be nice if Sun could give everything, including service
and all patches, away for free, but they have to make money somehow.

--
Rich Teer, SCNA, SCSA, OpenSolaris CAB member

                                                    .  *   * . * .* .
                                                     .   *   .   .*
President,                                          * .  . /\ ( .  . *
Rite Online Inc.                                     . .  / .\   . * .
                                                    .*.  / *  \  . .
                                                      . /*   o \     .
Voice: +1 (250) 979-1638                            *   '''||'''   .
URL: http://www.rite-online.net                     ******************

Quote:> Even as a home user, it will still probably be worth it to me to get the
> cheapest service plan.  It would be nice if it were half price for home
> users or something, though.   $10/month for patches is a little steep,
> in my opinion...

--
Rich Teer, SCNA, SCSA, OpenSolaris CAB member

                                                    .  *   * . * .* .
                                                     .   *   .   .*
President,                                          * .  . /\ ( .  . *
Rite Online Inc.                                     . .  / .\   . * .
                                                    .*.  / *  \  . .
                                                      . /*   o \     .
Voice: +1 (250) 979-1638                            *   '''||'''   .
URL: http://www.rite-online.net                     ******************

Security fixes have priority for Solaris and therefor for Solaris Express;
and the earliest they generally appear is in the Solaris Express Community
Edition.  (Security fixes are expedited through the patch process so the
patches have a chance of coming out around the time SX/CE hits the net.

Quote:>Even as a home user, it will still probably be worth it to me to get the
>cheapest service plan.  It would be nice if it were half price for home
>users or something, though.   $10/month for patches is a little steep,
>in my opinion...

(Note: in 2003 patches weren't public either)

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Quote:> $10/month for patches is a little steep,
> in my opinion...

What annoys me is when things (like the Solaris 9 license) are described
as free but are in practice not free at all (if you want to be legal).
At least with Solaris 10 Sun are honest about it all.

--
Dave K

http://www.southminster-branch-line.org.uk/

Please note my email address changes periodically to avoid spam.

for a couple of months only. Later set it manually. The month is
always written in 3 letters (e.g. Jan, not January etc)

One of the real issues for me is what happens when there is some sort of
urgent, important security fix.  I'm talking about remote root exploits
or other serious vulnerabilities, and situations where vendors don't
have advanced warning before the vulnerability (and exploit) are made
public.

My perception is that in such a case, vendors (including Sun) will, or
at least should, release a fix very quickly.  Something on the order of
48 hours, possibly.  Certainly less than a week.

And, though I haven't tried Solaris Express, from what I've read on the
web, new editions come out about monthly.  This means that in the worst
case, it could be up to a month (or even more if monthly is a rough
guide) before an important security fix is available in Solaris Express.

So, my expectation is that in such a case, the patch for the production
release could become available before the next edition of Solaris Express
is available.  Part of the reason I'm assuming that is that as far as I
can tell, the release process for Solaris Express is not motivated by
concerns like timeliness of security updates; instead, its purpose is
to get updated stuff out there when possible.  Because it's not a
maintenance branch and is under active development, it's not always a
good time to release, even if a security fix has just been made.
And anyway, it doesn't matter since if someone is running Solaris
Express and there's a flaw with it, they shouldn't be running it on
a production system in the first place, so it's not important to fix
it immediately.

So I guess my question is whether in such a case, the fix for a major
security hole would come out first as a patch or as an update to
Solaris Express.  My guess is that the patch should normally come
first, but I could be wrong.  Maybe the truth is that this doesn't
(thankfully) happen all that often, so Solaris Express may lag behind
in some cases, but it's may be that big a deal.

The other two issues that make me think I will want to go with support
when I upgrade to Solaris 10 are these:  First, I really want software
that someone is confident enough in to call it "release".  Even if
the work in progress is in a really good state and is quite stable,
I still prefer not to deal with it.  And second, the idea of upgrading
to a new Solaris Express release every month in order to keep up to date
on fixes isn't appealing.  I'd much rather have a set of patches that
I can pick and choose from and that I can back out if I need to.
In fact, one of the reasons I *like* Solaris in the first place is that
Sun seems to fundamentally get the idea of a stable branch with only
bugfixes and a few carefully-chosen enhancements, whereas many OS
vendors (*cough* Linux *cough*) seem to think that if you want bug
fixes, you'll be happy to go to the bleeding edge in order to get them.

Bottom line is, when push comes to shove, to me the convenience of
patches is worth $120/year.  My only gripe is that the price seems a
little higher than it needs to be for home users.

   - Logan

Quote:>And, though I haven't tried Solaris Express, from what I've read on the
>web, new editions come out about monthly.  This means that in the worst
>case, it could be up to a month (or even more if monthly is a rough
>guide) before an important security fix is available in Solaris Express.

Quote:>So, my expectation is that in such a case, the patch for the production
>release could become available before the next edition of Solaris Express
>is available.  Part of the reason I'm assuming that is that as far as I
>can tell, the release process for Solaris Express is not motivated by
>concerns like timeliness of security updates; instead, its purpose is
>to get updated stuff out there when possible.  Because it's not a
>maintenance branch and is under active development, it's not always a
>good time to release, even if a security fix has just been made.
>And anyway, it doesn't matter since if someone is running Solaris
>Express and there's a flaw with it, they shouldn't be running it on
>a production system in the first place, so it's not important to fix
>it immediately.

We're not exactly there yet because the mechanisms aren't in place,
but it's certainly the intend that all distributions will be equally
save and that source based relief will be easy to obtain.

Quote:>So I guess my question is whether in such a case, the fix for a major
>security hole would come out first as a patch or as an update to
>Solaris Express.  My guess is that the patch should normally come
>first, but I could be wrong.  Maybe the truth is that this doesn't
>(thankfully) happen all that often, so Solaris Express may lag behind
>in some cases, but it's may be that big a deal.

Quote:>The other two issues that make me think I will want to go with support
>when I upgrade to Solaris 10 are these:  First, I really want software
>that someone is confident enough in to call it "release".  Even if
>the work in progress is in a really good state and is quite stable,
>I still prefer not to deal with it.  And second, the idea of upgrading
>to a new Solaris Express release every month in order to keep up to date
>on fixes isn't appealing.  I'd much rather have a set of patches that
>I can pick and choose from and that I can back out if I need to.
>In fact, one of the reasons I *like* Solaris in the first place is that
>Sun seems to fundamentally get the idea of a stable branch with only
>bugfixes and a few carefully-chosen enhancements, whereas many OS
>vendors (*cough* Linux *cough*) seem to think that if you want bug
>fixes, you'll be happy to go to the bleeding edge in order to get them.

And really, what do you think is better tested?  The bi-weekly release
of Solaris.next, which is tested in complete integration or the last
release (Solaris 10) + random set of patches?  (A number of fixed patch
sets is really well tested; but the more variables you change the further
from the test matrix you get)

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.