From owner-freebsd-stable@FreeBSD.ORG Wed Jun 11 11:44:10 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0669106564A for ; Wed, 11 Jun 2008 11:44:10 +0000 (UTC) (envelope-from mh@kernel32.de) Received: from crivens.kernel32.de (crivens.terrorteam.de [81.169.171.191]) by mx1.freebsd.org (Postfix) with ESMTP id 461468FC14 for ; Wed, 11 Jun 2008 11:44:09 +0000 (UTC) (envelope-from mh@kernel32.de) Received: from www.terrorteam.de (localhost [127.0.0.1]) by crivens.kernel32.de (Postfix) with ESMTP id 16A2CB0290; Wed, 11 Jun 2008 13:26:13 +0200 (CEST) MIME-Version: 1.0 Date: Wed, 11 Jun 2008 13:26:13 +0200 From: Marian Hettwer To: Anton - Valqk In-Reply-To: <484FA07E.60103@lozenetz.org> References: <484FA07E.60103@lozenetz.org> Message-ID: X-Sender: mh@kernel32.de User-Agent: RoundCube Webmail/0.1-rc2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Cc: Andy Kosela , freebsd-stable@freebsd.org Subject: Re: CLARITY re: challenge: end of life for 6.2 is premature withbuggy 6.3 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2008 11:44:10 -0000 Hi there, some thoughts to your problem in regards to Debian administration time needed vs. FreeBSD administration time needed. I believe I can make a point there, since I have 600 debian boxes under my hood but still am a FreeBSD advocate ;-) On Wed, 11 Jun 2008 12:53:02 +0300, Anton - Valqk wrote: > > My main drama with FreeBSD is that ports don't have -SECURITY patches, > and if I there is a bug in php > I have to rerbuild and populate the latest version. Thats unfortunatly true. But there is a way around. As soon as you have several FreeBSD boxes, I'd advise you to install your own FreeBSD box for packages building. So if you need to update your php installations, go to your build box (which has the very same versions of programs installed as your production boxes), update your ports tree and do a "make package" of your new php port. If the new php package works fine on your build box, roll it out via "pkg_add -r $NEWPHPTHINGY" and off you go. > Another _very important_ thing is that there is no binary support to > packages that has vulns, > and you have to rebuild them from ports. > Well, its one time doing a make package... Even debian has no plus point there (at least in our environment at work). We pretty much always need our Apache 2 custom build, not the way the Debian projects build it. Thus we have a Debian build box around and build our own Apache 2.2 package. This is, indeed, the same amount of effort you would have when using FreeBSD. IMO the overhead in Debian to build a package is higher than in FreeBSD, but YMMV. > Just a simple example: > I have 4-5 fbsd machines and about 15-20 debian stable machines. > To administer fbsd machines when there are ports bugs(bugs in ports I > use) it takes me at > least about 4times more time than update _all_ debian machines... depends on the way you go. Genereally speaking, you really really want a build and test machine before you deploy a security update or even a new version of your software (in this case: php). Even with Debian boxes you really shouldn't just "apt-get upgrade && apt-get update" but test before! > Well...I have other things to do too, too many... now guess what I will > choose? > I'll use debian, and that's not because I don't have will to use > freebsd, it's simply because I do my tasks 4 times slower than when I > choose debian. hhmm... I really can't agree on that statement. If you do your admin work in a clean and sane way, most of the time spend for updating boxes is spent on testing the change before upgrading. The difference between a "debuild" for building a new package, and then apt-get upgrade / update them on your box vs. "make package" and pkg_add -r them on your box is really slim... > Someone will say "FreeBSD is not for you, then back off". That's not the I wouldn't say that :) > > Once I've told that there is no binary support (but I didn't expressed > myself correctly). There is no ports VULNS binary support. > If there is (and I've never heard of it), I'll be very happy someone to > point me out this, because I'll continue running fbsd. > If you take a close look onto how the debian project is backporting security fixes you would probably agree that pretty often it's more desireable to jump to a newer version of that software than instead just security fixing it. Examples needed? MySQL 4.1.11 was the "stable" MySQL 4.1 in Debian Sarge. Of course it got security fixed, but not bugfixed. You get a secure version of MySQL 4.1 in Debian but not a stable one, because important bugfixes are missing. I'd rather upgrade to the latest MySQL 4.1.xx instead. And of course, do your testing before jumping version numbers. I hope that my impressions will help you in working with FreeBSD in a server environment. Cheerio, Marian