Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Networking two Linux computers harder than Linux toWindows?



On 15/04/07, Godwin Stewart <godwin.stewart@example.com> wrote:
On Sun, 15 Apr 2007 08:34:53 +0900, Dave M G <martin@example.com>
wrote:

> MySQL and Apache, for instance, both started without me ever having
> to explicitly start them.

Nitpick: your *packaged* versions of MySQL and Apache started because
you have a package manager that starts running things without user
intervention. That in itself is a good reason not to use it IMO.

If I install MySQL here I have to run $PATH_TO_MYSQL/bin/mysqld_safe &
explicitly from the command line. I also have to run "apachectl start"
explicitly in order to run Apache. This is a basic security requirement
so that the admin can give the configuration files a once-over before
opening the services to the 'Net.


Eh? You don't used packaged versions just because they start automatically? You'd rather re-compile every time there is a security update to either the program itself or to one of it's libraries? Not to mention having to keep track of all the security related issue in order to know when you need to re-compile. Also having compilers and development source-code on external production servers is not a good idea, so you'd have to keep a separate machine to do all your compiling on. More importantly, you are going to have to keep track of where everything is installed and what version everything is at and pass all this information on to your successor when you leave.

From experience, the Debian (and Ubuntu) packages have sensible
defaults and do not expose you to security risks out of the box. IIRC
in the case of the packages mentioned, the default configs limit them
to the lo interface, so no-one from the net can connect to them even
though they are running. And if you are really worried, then just
don't lower your firewall till you have configured them to your
liking.

IMHO not using a package management system on a production system (or
virtually any system for that matter) is down-right stupid. The
benefits it brings are far too large to overlook. If the program you
want is not available or out of date, then the correct procedure is to
build a package yourself and install that. If the default post-install
scripts don't suit your needs, modify them before installing the
package. Do _not_ install stuff outside of the package management
system, because your system will become a fragmented mess when  you
forget about the program you installed or your successor installs a
conflicting version because he didn't notice the previous install.

Sorry if I sounded a bit blunt, but I have had to deal with the mess
of an unmanaged system before now and I did not like it one bit, so I
get a bit irked when someone suggests not using one.

And just to cross my 'T's, there are few cases when pkg management
systems are not needed (eg some embedded systems), but any system that
needs updating should have one and it should be used.

Arwyn


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links