James Oakley wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Saturday 22 November 2003 05:52 am, LW999 wrote:
Using a source distro such as Gentoo on a production machine is a really stupid idea. Don't do it.
Why is this not a good idea? This is a serious question and not intended to be inflamatory. Your resaoning concerning this will be interesting and benefit users of this list.
Many reasons:
- - Gentoo's security update policy is "build the new version and perform minimal testing." New versions introduce new bugs and API changes. This can break dependant software. Remember the last OpenSSH problem? SUSE and Red Hat fixed the shipped version and Gentoo upgraded to the new version, which introduced a new bug. Gentoo had to release a new version
- - Installation/configuration time is much longer. Imagine if a production server suffers a total failure. How long is it going to take to recreate the OS install + configuration + data? SUSE does this in no time with Autoyast and Yast backup/restore
- - Remember all of those trojaned Makefiles a while back?
- - I don't put compilers, downloading tools, etc on systems that don't need them. If you've done any forensics, you'll notice that the first thing a cracker does is download and compile something. This makes their life very difficult and increases the chances that you will catch them before they do something bad. They may also just give up, if they are of average intelligence for a script kiddie. (aside: It's also a good idea to block outgoing connections to any machine other than an update server that you control)
- - SUSE does a *lot* of testing on all of their packages. By building them once they eliminate problems introduced by certain external factors such as libraries and build tools
- - RPM gives you some great security benefits such as md5sums on all package files (great for detecting root kits) and GPG signatures
- -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/whps+FOexA3koIgRAosfAJ0cxxYearSEOjAGIrR15BDBnk57wQCggD56 65LV2GCXEqnSiMRQgBUjrU4= =mKag -----END PGP SIGNATURE-----
James, Thank you for a very considered and thoughtful answer. These issues were not apparent to me and perhaps to other members of this list. Dereck Fountains' earlier contribution was useful as well. Regards. LW999