From owner-freebsd-isp@FreeBSD.ORG Sat May 23 15:09:24 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DD96106564A for ; Sat, 23 May 2009 15:09:24 +0000 (UTC) (envelope-from neil@neely.cx) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id 20A408FC15 for ; Sat, 23 May 2009 15:09:23 +0000 (UTC) (envelope-from neil@neely.cx) Received: by yx-out-2324.google.com with SMTP id 8so1391007yxb.13 for ; Sat, 23 May 2009 08:09:23 -0700 (PDT) Received: by 10.100.109.13 with SMTP id h13mr9476096anc.16.1243089370493; Sat, 23 May 2009 07:36:10 -0700 (PDT) Received: from ?216.17.141.130? (ip-216-17-141-130.rev.frii.com [216.17.141.130]) by mx.google.com with ESMTPS id b7sm6270053ana.17.2009.05.23.07.36.08 (version=SSLv3 cipher=RC4-MD5); Sat, 23 May 2009 07:36:09 -0700 (PDT) Message-ID: <4A1809E2.8020608@neely.cx> Date: Sat, 23 May 2009 08:36:18 -0600 From: Neil Neely User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: "Tonix (Antonio Nati)" References: <4A166B29.1070202@interazioni.it> In-Reply-To: <4A166B29.1070202@interazioni.it> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: Avoiding source code on production servers X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 May 2009 15:09:24 -0000 Tonix (Antonio Nati) wrote: > I'm in the phase of planning my new generation of FreeBSD servers, and > I would love to make them more easy to upgrade. > Main problem I have currently is I do not want any source code on > production server, so freebsd-update is welcome, but... what about > packages? > I would use packages, but they are not easy to upgrade, while ports > can be easy to upgrade, but need to have sources an servers. The weakness of FreeBSD here is very unfortunate and IMO goes far beyond just source vs binary distribution. Working in a mixed environment where we have begun heavily using CentOS and utilizing yum it's obvious how far behind FreeBSD has fallen in this space. Ports lack any kind of concept of "Long Term Stable", so if you are running anything in ports (like say perl...) then when a security issue comes out you end up having to install new versions - the default is not to patch the older versions. For non-production environments that is likely fine, but for major production services it is a painful scenario. So you aren't just fixing security you are mixing in the concept of adjusting functionality as well. (A recent perl "security" upgrade moved perl to a new version which broke compatibility with the Crypt::CBC module requiring a reinstall - the new version of that from ports forced salting when it hadn't previously and now applications were needing to be recoded to get it all working again.) At the end of the day FreeBSD of course lets you have all the power to just apply the patches yourself to the source and you would be fine. At the cost that you need to be doing all of this work yourself and can't rely on nice management tools to help you. Every problem I've ever encountered with FreeBSD can be easily handled by a FreeBSD expert - but when I bring in a new green admin they have a heck of a time making any sense of it and I'm drug back into the trenches of managing all this. Why the contrast is extra frustrating is that it takes considerable skill and understanding of the details of an environment to safely update a production FreeBSD server. Contrast this with CentOS where an extremely green admin can easily manage it with minimal instruction. Unlike with the FreeBSD process this has no risk that it will cause cascading complex issues that require application modification to restore them to operation. I've been using FreeBSD since the 2.x days in '96 or so, and I love it - my tone is critical because I'm sad to see the state of things and doubly sad that I don't have the time to volunteer with the project to help do something about it. In most ways I consider FreeBSD superior to any linux, however this core issue of maintenance over time has been driving our shift to using CentOS over the last few years. If a "Long Term Stable Port Tree" concept were to come along I think that would plug the hole here. While I lack the time to lead such a charge, I would be happy to assist if such an effort were to get launched. -- Neil Neely http://neil-neely.blogspot.com/