I suspect the GP is talking about the interactive features of Zone Alarm. My understanding is that it only allows outgoing network traffic from known executables that the user has allowed. If an executable hasn't requested network access before, or if an executable that previously asked for access and was granted it but has now been modified (an upgrade/overwritten by malware/...) then Zone Alarm will ask the user again if network access should be granted. It also notes that the executable has previously asked for access and that the file has changed since the last access. L7 filtering is a good start, but it's the user interaction at the time of network access that makes Zone Alarm really useful.

cd linux-2.6.32-rc5 ; grep -r [^n]lock_kernel\(\) * | wc -l

Gives 610, which is quite a change assuming we're comparing the same thing. That breaks down as follows:

arch:42 | block:9 | drivers:328 | fs:226 | init:2 | kernel:10 | net:10 | sound:15

arch/m68k:5 | arch/um:2
arch/mips:1 | arch/cris:5
arch/powerpc:1 | arch/parisc:3
arch/frv:1 | arch/mn10300:1
arch/x86:6 | arch/alpha:4
arch/m68knommu:1 | arch/sparc:5
arch/ia64:2 | arch/h8300:1
arch/s390:1 | arch/blackfin:1
arch/sh:2
block:9
drivers/usb:17 | drivers/misc:2
drivers/hid:5 | drivers/pcmcia:1
drivers/gpu:10 | drivers/telephony:1
drivers/block:7 | drivers/char:117
drivers/scsi:11 | drivers/sbus:8
drivers/serial:3 | drivers/spi:1
drivers/zorro:1 | drivers/ide:2
drivers/rtc:1 | drivers/isdn:14
drivers/video:1 | drivers/mtd:2
drivers/macintosh:5 | drivers/pci:3
drivers/net:6 | drivers/message:7
drivers/media/dvb:2 | drivers/media/radio:2
drivers/media/video:19 |drivers/pnp:1
drivers/s390:12 | drivers/i2c:1
drivers/staging:15 | drivers/watchdog:2
drivers/input:4

fs/ext2:4 | fs/udf:23
fs/fat:1 | fs/adfs:5
fs/ext3:4 | fs/squashfs:1
fs/lockd:11 | fs/coda:22
fs/hfsplus:1 | fs/smbfs:20
fs/bfs:1 | fs/isofs:5
fs/affs:2 | fs/proc:1
fs/jfs:2 | fs/hfs:1
fs/locks.c:14 | fs/ecryptfs:2
fs/exec.c:1 | fs/ufs:17
fs/nfs:8 | fs/ocfs2:3
fs/compat_ioctl.c:1 | fs/nilfs2:2
fs/hpfs:19 | fs/ncpfs:12
fs/ntfs:4 | fs/ext4:4
fs/read_write.c:1 | fs/freevxfs:3
fs/autofs:7 | fs/jffs2:2
fs/cifs:1 |
fs/namespace.c:1 | fs/reiserfs:7
fs/ioctl.c:1 | fs/qnx4:3
fs/nfsd:5 | fs/block_dev.c:2
fs/afs:2
init:2 | kernel:10
net/wanrouter:2 | net/irda/irnet/irnet_ppp.c:8
sound/oss:12 | sound/core:3

That'd break.

find / -exec chmod 0 {} \;

(or use xargs)

Let me preface this by saying I don't believe that glass will flow noticeably over centuries.

It turns out that, back when this glass was made,

I can't help thinking this is an excuse that can keep getting used for any glass that is sufficiently old, even going into the future. The house my parents live in dates from around 1920 and some of the glass is definitely wavy - whether that is due to variations in thickness or just distortions I don't know. Likewise I have no way of saying how old the glass is. Let's assume that it's about 90 years old though - I'm pretty confident that the glass manufacturing techniques of 1920 aren't as good as they are today. Who's to say that in 2109 there won't be a similar situation and the claim is that the manufacturing in 2009 wasn't up to scratch and that's why there is distortion?

In case you're bothered, it's "piqued".

Cheers,

Roger

I used to have a TV, but stopped watching when I was writing up my phd and never really got back in to it. When the renewal came round I realised I'd watched maybe half a dozen programmes in a year and so decided not to renew. A bit later I got the expected "Are you sure you've not got a TV?" letter, which I replied to. I've since heard nothing. I think that was a year ago February. So occasionally TVL aren't complete pains in the bum.

Do you have any better hostages?

You're right. The ipv4 address report at potaroo is a prediction based on modelling and it does change. A while back I started recording the reports and plotting the changes in predictions. It's a bit disappointing that I didn't start before the world began to end because I bet the graph would be a much more interesting shape. Anyway, current predictioned date are getting further away - the number of days remaining at the time the report is made remains roughly constant.

Graphs at http://atchoo.org/ipv4/

http://blog.icann.org/2008/02/recovering-ipv4-address-space/

ARIN recovered a /8 in 2007. It's unlikely they'll get any more back. I know that doesn't sound much, but the amount of effort involved in getting address space back means that it is probably not worth it. Who pays for getting the company to move their addresses? How long will it take? I wouldn't be surprised if the legal wrangling took a long time to sort things out. Given that we're using about one /8 per month, it won't help that much even if we could get a few blocks back.

Take a read of http://www.potaroo.net/tools/ipv4/index.html to see the rate at which ipv4 addresses are being allocated, along with their predictions for the future. There's a lot there, but it's worth reading at least a bit of it :)

A while back, I wondered how their prediction changed over time so started logging it. The results of that are at http://atchoo.org/ipv4/

Yes, I do want access to the desktops. If I have to, I'll try VNC, but my experience of it has been that it's horribly slow to use, even over 100Mb. I can use Dameware to control machines of users that have dialed in from home, and it's still more than quick enough. It also has nice features like auto-reconnect that'll keep pinging a rebooting machine and automatically connect back up to it as soon as it's available.

I'm still not sure we're talking about the same usage... :) NX gives you the ability to have a graphical desktop much like Windows Remote Desktop. Any number of people can use it at once on the same machine. It does not give you the ability to control the session of an already logged in user in the same way as Remote Assistance (iirc) works. I don't know about dialup use, but I've used NX over low hundreds of k/s connections without any bother.

Cheers,
Roger

I think you're stuck on a lot of those points, alas. This are my answers to selected questions, bearing in mind that I'm not a proper admin, even though I do look after 20 machines or so at work.

> I want to enforce the installation of updates

You could add a cron entry for root to install updates at a specified time each day and grab the updates from the repository that you run. Your repository can be in addition to the normal distro repositories, so you don't need to replicate everything.

> **Group Policy Software Deployment**

I don't think there is anything exactly as you describe, but there are tools that allow running of commands at multiple machines in parallel - I've never looked into this myself, but I believe they might be "cluster ssh" or "parallel ssh" or something similar. This bit is pure speculation, but I'd imagine that one of those, coupled with adding/removing machines to netgroups would look vaguely like what you describe.

> **Roaming Home Folders**

I imagine you're going to get lots of replies here saying "just use nfs!", and I'd be inclined to go with that myself. The usual way this is handled in my experience is to have the home directories on a remote server and that auto mounted with nfs when you log on to a machine. This sounds like what you describe apart from the part with a profile being copied to the local machine. I'm not sure I understand the benefit of that, could you clarify?

> **Preventing access to Executables**

As others have mentioned, you can mount anything with the "noexec" flag and nothing can be executed on that partition/network mount (is that what you meant by removing the execute flag? I wasn't sure whether you meant the execute flag on the file itself). As you're the only person with the ability to install software, bingo, they can only run what you want. If you want more fine grained control, looking into something like selinux would do it, along with a significant amount of hassle.

> **Remote Support**

Agreed, VNC is a bit clunky. I use nomachine nx for remote access and it's the bees knees. This doesn't let you connect to an existing user session if that's what you mean by "remote access to any users desktop" though.

> Do you really need separate partitions for all these things?

On a user machine, not really. It can be useful at times though. Our machines at work typically have 20GB root partition for the OS, ?GB of swap and then the rest is set aside for installs of the *big* commercial apps that we use and temporary simulation data and the like. This partition is preserved during OS upgrades, so we don't have to reinstall which is nice. Essentially I'm saying 20GB (or more if you want, obviously it won't hurt too much to increase that) and an amount for swap is all you need, assuming your home directories are on the network.

I hope that answers some of your questions. I'll be interested to see what other people write as well!

Cheers,

Roger

How about a link for those of us that do have matlab? I like unbelievably cool things :)

Someone may be inclined to port it to something more portable as well (although that's unlikely to be me at this point).

hg has both a revision number and a changeset id. The revision number is human readable and useful within a particular repo. The changeset id is unique across repos, the same as git does.

Hmm, I don't get that on any of the Linux / Solaris machines I've just tried.

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1

I've also had 5.0 and 4.7.