Getting that patch installed.

The life of a software developer can sometimes be a little frustrating. Quite often when I work with development teams I am shocked to find that they don’t have administrative rights to their local workstation or they don’t have the capability of choosing what platform they develop on to best meet the requirements of the project.

I think the secretGeek put it when when he ventured that corporate IT may be a form of emotional abuse. Relating this back to software developers specifically, and introducing an analogy – if developers were butchers, then corporate IT would appear to be some kind of gremlin running around taking the edge off the knives to make the job even harder.

Sometimes I have to laugh though. I was having a conversation last night and one of my co-workers remarked how they were having to use a particular .NET technology because they couldn’t get the servers patched with .NET 3.5 SP1.

Apparently they aren’t allowed to install a patch unless it has been vetted through some internal process. One has to wonder what that process is – and how they ensure that the patch is appropriate for their environment. What if it fixes security issues? What are the risks of not patching?

When faced with idiotic odds, I sometimes think it becomes time to resort to subterfuge to get the job done. How would you recommend my co-worker get this patch installed either by manipulating the wetware or somehow sneaking in the upgrade onto the server? I could think of a couple approaches which might be regarded as hacking 😛


9 thoughts on “Getting that patch installed.

  1. Paul Stovell

    They need to do what Adobe does. When Flash 10 was released, a couple of days later it was announced that Flash 9 had a security vulnerability. Of course this vulnerability wasn’t known about until a few says after 10 shipped. Coincidence? 🙂

    Just tell them .NET 3.5 has a security vulnerability that would allow people to bypass Windows-level security checks and allow a rogue .NET application to take domain administrator privelliges.

    These organisations must have some fairly amazing “vetting” processes if their couple of sysadmins can find bugs that Microsoft legions couldn’t find (although 3.5 SP 1 did introduce some regressions, so maybe not so amazing). Fair enough that they may have internal applications that break, but what are they doing saying “No” when they should be busy testing?

    Whether overworked or lazy, these groups tend to thrive on finding a reason to say “no” rather than finding reasons to say “yes”. This is one benefit the cloud offers – good hosting companies will generally try to say “yes”, or they’ll be out of business. Grant Holliday was the first (and only) IT manager I’ve met who always tried to find ways to say “yes”.

    In the end it’s the managers/CTO’s who are at fault. How do they justify lowering the productivity of a development team for a long period, when a short period of testing would be so much cheaper? How long can a vetting process take? 3.5 SP1 didn’t exactly ship yesterday. Maybe we should give CTO’s lower pay and bigger bonuses to encourage risk taking 🙂

  2. Alex

    This is a little naive isn’t it?

    Organisations usually put such processes around installing patches so that they can be adequately tested with existing legacy applications and ensure they socialise within their environment. Sometimes as consultants we forget that IT is there to support the business and that these processes are put in place to reduce the risk of impacting their core business.

    I certainly wouldn’t recommend you resort to subterfuge to install the patch and run it. What if that patch that hasn’t been socialised or adequately tested breaks something? The customer isn’t going to be too happy that you introduced something that took down there business!

    If the patch is essential, why not communicate this to the customer and expedite the testing of the patch? Nothing will move it faster than the project manager advising the customer that the project cannot progress or has a huge risk of delivery failure associated.

  3. silky

    I think it’s exceptionally wrong to go in as a consultant and undermine the organisations own security policies just because “you” think something is better.

    Certainly not an approach I’d advocate. If you can’t make a case why the update needs to happen then, it doesn’t happen. Updates aren’t automatic. Software (yes, even updates are software) has bugs. You shouldn’t adopt it, in an environment that requires security, without a degree of testing.

    Fairly immature plan.

  4. Mitch Denny Post author

    Hi guys,

    When I refer to manipulating the wet-ware I am of course talking about convincing the system administrator that it was their idea to install the patch to get the job done. Not actually hacking in and installing it myself 🙂

    But thanks for the feedback anyway. Surely your development project has been held hostage by inadequate patching before though? At the end of the day its the business that needs to decide what they do.

  5. silky

    Not really no.

    I’ve never been held back by inadequate patching, and certainly not in regards to dev versions of frameworks.

    For example I’ve started several new projects at home, and I choose to mostly do them in 2.0. Why? Cause I think that’s the “minimum” I can get away with. Sometimes I start them in vs 2008/3.5/WPF cause I’m interested in learning something, or the project requires it.

    But typically, I’ll try and get away with the minimum version/features. So if it’s just a new website, I can’t imagine why I’d bother with 3.5 if I don’t need it.

    This approach has served me well.

    If you need it, justify it, and if you get rejected either continue to fight, or give up. If your client/person rejecting you is unreasonable that maybe consider why you’re working for them in the first place. I know that’s a fairly black and white view, but it’s at least something to consider.

  6. Brett Chapman

    Surely the Specifications of your project that were detailed and approved before you started your project would have shown what was required. If the requirements included going through the process of getting any Server-side installation processes approved and installed.

    Having been on the other side, ie. an IT Pro, There is nothing worse that having a Developer having admin access to Production Servers. In my particular case ( and this reflects badly on the particular Dev, not the whole profession) the Dev throught it would be easier to install some stuff on the server and all of a sudden, all applications on that Server suddenly stopped. Because he had gone diretly to the box and done it, no-one else knew he had done it…. needless to say we were not amused. he still didn’t learn his lesson so the next time he wrote something, he installed a keylogger on his machine and got an admin to log in and then just used the admin account and password to to do his admin changes.. After we discovered that, he was gone….

  7. Mitch Denny Post author

    Hi Brett,

    I hope you are saying that tongue in cheek 🙂 A lot of projects don’t know in advance exactly what is going to be retoays where we can simply provision a virtual machine for the application until socialisation testing is complete.

    Assuming you use a decent licensing model for your operating system the cost is minimal.

  8. Robert H

    Hi Mitch,

    There is a certain place that you and I have worked at (I wont mention names) that had a multi tennanted system and because one of the servers had .net 2.0 installed on it, none of the projects were allowed to be done in .net 3.5. Its places like that, that have to pay me as a contractor TOP dollar because I refuse to waste my time with older technologies. I think any senior dev/architect/consultant would also not want to work with older technologies because it doesn’t help their career. While this may not seem like a strong enough argument to upgrade to these lastest patches, think again when you try to hire the top guys and say ‘Hey come and work for me and build me X in classic ASP’. Lets see how many experienced quality devs turn up to that job!

  9. Kieran Jacobsen

    As an admin in Corporate IT, what will the patch break is my number one concern, if i install something and break something, its my arse on the line instead of the developer.

    I have been involved in patching a 3rd party web app here for a while, and its always something “I have done” when deploying the latest version into prod or UAT, then when we find out that a developer changed the version of .net for a virtual directory in the testing environments where they have administrative rights, and didnt document it, somehow us admins are still expected to realise this fact.

    .Net patching is fraught with danager, at a previous company the deveropers were not installing patches as frequently as the admins were on the servers, we only discovered this when a change to .net 2.0 broke their app…it took a lot of tinkering and talking to Borland and Microsoft to nut out the issue, but its another example of patching issues, this time, in reverse.

    I like giving our dev teams higher privilages, but they should still run as normal users, and yes, patching should be identical on all systems.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s