Fedora 8

Daryl Tester dt-linuxsa at handcraftedcomputers.com.au
Wed Dec 12 23:32:12 CST 2007 

Sorry, this has been sitting in my Drafts folder for a few days,
and it's starting to go stale, so this post will be a little
rambly ...

Adam Hawes wrote:

> Ahh the servers.  I tried fedora but their constant dropping support  
> for FCx when FC(x+2) comes out means that you're forever running  
> their fragile distribution upgrader.   I could say something about  
> crazy and insane but if it's working for you best of luck that it  
> keeps working.

My approach is probably different than yours (and most likely most
others).  I don't rely on Fedora's support much past the initial
install, and typically only install the core OS.  Most applications
(e.g. Apache, djbdns) I compile myself from scratch because I have
more control over what does and doesn't get compiled - I'm a huge
believer in "parts that don't exist can't break", and for instance
will leave something like PAM support out of openssh if there's no
requirement for it, therefore when issues like PAM GSSAPI crop up
I've reduced my potential surface attack area.  (I haven't done
this with the latest Fedora sshd I've deployed, and noticed that
there is a lot of cruft creeping in - pthreads? libselinux?).
Part of this also stems from how Redhat configure their binaries;
Apache's not chrooted out of the box (or at least wasn't since I
last looked), and is difficult to do so, and the web applications
that ship with it aren't typically built with compartmentalisation
in mind.  I still have an FC2 box that sits on the public 'net;
the only technical/business reason to upgrade it is to move to
more modern hardware (the last DR on the box showed the kernel
didn't cope with recent hardware).  From a software point of view
it doesn't run a "susceptible kernel", and all of its ports
contain hardened applications.  If it's still running and secure,
where's the driver to upgrade it (apart from the hardware issue)?

Even when building software I take a different tact - RedHat (and
other distributions I suspect) appear to only allow one version
of any application, whereas I take pains to version the programs
and libraries that they require so that I can run multiple versions
on the same box.  I did this recently with a Postgres server on
a production system (which I don't like doing, but this required
it); the cutover just required stopping the old Postgres, doing
the import and starting the new server without uninstalling the
software, in case of rollback.  I can't do this with RPMs without
skirting with dependency hell (especially where libraries are
involved), yet I don't have this issue when I build the software
myself.

There are risk management issues here, but I stay on top of several
security lists (plus the applications themselves).  Plus there's
always the issues of the bugs you know vs. the ones you don't (this
goes for upgrades as well; introducing new features introduces
changes, which invites bugs and unintended side effects).  Note that
this post might come off as "anti upgrade", which I'm not, I just don't
leap at the chance to upgrade software until I know the impact of
the change.  I don't believe this approach is for everyone, but it
works well for me (and my clients :-).

> We have a FC6 box here hosting some internal services  (bug tracker  
> and version control mostly) and it's not supported anymore.  The box  
> is too mission critical now (it never was when it started out but how  
> things change) to risk taking it offline to install FC7 or 8 on it.

I think once they reach that level then management have to support it,
with something like buying DR hardware that you could at least plan an
upgrade path on.  What's their plan in the face of catastrophic failure
if it's mission critical?

> If you like Fedora why not try something like RedHat or Centos - they  
> have longer term support so long as you don't need the latest and  
> greatest everywhere.

I'm starting to think seriously about the "roll your own" option
with something like Linux From Scratch.  Something I need to look
into when I have spare time up my sleeves (ha!).

-- 
Regards,
  Daryl Tester

"Verbogeny is one of the pleasurettes of a creatific thinkerizer."
  --  Peter da Silva

More information about the linuxsa mailing list