[nzlug] CentOS and the "joys" of rpm based systems

Steve Holdoway steve at greengecko.co.nz
Sun Jan 20 23:14:46 NZDT 2008 

On Sun, 20 Jan 2008 22:55:49 +1300
Daniel Lawson <daniel at meta.net.nz> wrote:

> >  For example, why wouldn't you reconfigure the kernel of a database server to reflect its needs, rather than installing one that runs X pretty well?
> >   
> 
> Mostly because the kernel developers don't think I should have to have 
> different kernels. Which tweaks did you have in mind?
Well, changing the scheduler is a good start.
> 
> 

> During this thread I've assumed you've meant hand-compiling packages and 
> distributing through some manual mechanism - either hand-built on every 
> machine, or built once, scp'd then installed on every machine.  That's 
> what I interpret "hand compiling" to mean.
> 
> IMO the better practice is to utilise the tools you have in your 
> distribution. To use your example of openssh, I would build an openssh 
> 4.7p1 package, and put that on my private deb repository, and would get 
> pushed out to all my nodes.  I can track per-distro changes in build 
> time configurations easily, including taking note of which libraries are 
> relevant on each distro. Other than a short amount of work for each 
> release, this makes pushing these packages out trivially easy.
> 
> I don't think openssh is a great example, because debian *do* track 
> security flaws in openssh really quickly, and I can't think of anything 
> that is a must-have new feature in the intervening versions. It's just 
> not worth the time to me.
> 
> What is worth spending the time on is building a reproduceable network, 
> through standardised builds and processes, existing distribution backed 
> expertise and infrastucture and node management tools like puppet. So 
> I'll let debian push a new openssh package for me, and let me focus on 
> deploying new tools and infrastructure. If and when the shit hits the 
> fan with a serious flaw that doesn't get due attention, I'll do what's 
> needed. I never said I won't pay attention to security notices... :)
> 
To be sure, I'm playing devils advoicate to some extent here, although I do practice what I preach. However, I fully realise that the lack of trust I have in third party packagers may well reflect the number of times that I have been burnt in the past, and the delay in release of security patched software even now.

Most importantly, it's being aware of the security breaches as they happen that's top of the list. Only then can you assess the risk and act accordingly. 

Steve.
-- 
Steve Holdoway <steve at greengecko.co.nz>

More information about the NZLUG mailing list