[geeks] Policy for system / package upgrades in Enterprise

[Andrew Jones]

On Mon, Jul 26, 2010 at 06:49:52PM +0530, Katrina Gawas wrote:
> Hi All,
> 
> We are trying to set policies for system / packages upgrade in our
> company. Currently most of our systems have Ubuntu 8.04LTS server.
> What do you think should be the policies in regards to the following:
> 

If these policy questions are even a concern for your firm, you should dump
Ubuntu sooner rather than later.  You are not Ubuntu's target audience.

> * Upgrading of packages? Say as per some requirement developers needs
> java6u20 on production machines and currently Ubuntu 8.04 LTS only
> supports java6u6. There is one view from our IT head that one should
> upgrade the OS to keep up with the package requirement. Is this
> correct/viable?

You will be maintaining your own package trees regardless.  Canonical
only offers support and patches for a very specific set of packages. Anything
outside their core set of packages goes unpatched.

In other words, go nuts.  You'll have to maintain your own Java packages to
stay on top of security holes anyway. 

Needless to say, mintaining your own package trees will be labour-intensive.

> * Upgrading of OS? Ubuntu 8.04 LTS support will be available for a few
> more years. What should be the proposed OS change cycle. Or should
> only parts of the OS stack be updated as per requirement?

Having been forced to use Ubuntu in production, I would never recommend
upgrading an existing system.

> * Should any of the above policies vary if we want to strictly
> implement ISO 27001 considerations (http://www.iso27001security.com/).
> 

In my own work, I consider Ubuntu support to be strictly a "best effort"
endeavour. I can't imagine what hoops you would have to jump through to feel
comfortable that you had satisfied ISO 27k requirements.