Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Check out this review...Not a very plesent one
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
aksansai
n00b
n00b


Joined: 29 Jan 2007
Posts: 1

PostPosted: Mon Jan 29, 2007 5:26 am    Post subject: Posted a bug (RFE) about this Reply with quote

I figured, why not file an RFE in bugs.gentoo.org?

https://bugs.gentoo.org/show_bug.cgi?id=164351
Back to top
View user's profile Send private message
malverian
Retired Dev
Retired Dev


Joined: 22 May 2005
Posts: 2
Location: Gainesville, FL

PostPosted: Mon Jan 29, 2007 5:27 am    Post subject: Reply with quote

I've been part of the Gentoo development team since before /etc/gentoo-release broke 1.0 and there were fewer than 50 people in total on the team. For over three years, I've been running Gentoo on 20+ production servers at my workplace. When I first began working where I am, I decided on Gentoo because:

- I was very familiar with it,
- I could easily write my own packages if necessary and put them into portage,
- it was customizable, and
- had the most up-to-date software.

Very quickly, I began to realize some of these didn't make sense in an enterprise environment. Most importantly, you do not want to have the most up-to-date software, but the most stable software. You also want the software on all of your machines to be identical, otherwise a program that runs on one might not run on another (USE and CFLAGS can/do cause subtle incompatibilities).

The goal of an administrator is to only have to upgrade to fix critical bugs or security holes.

If you want to use Gentoo in an environment where downtime due to security/bug fixes is not acceptable, you will need the following:

- Server to build identical binary packages for use on all production machines for any architectures you use (at my workplace, we use x86_64 and x86)
- An agreed upon list of USE flags for every package you will be using on any server
- Staging machine or chroot(s) for testing package upgrades and installations before pushing to a production server. If you have wildly divergent setups, you will want a staging environment for each type.
- A custom managed portage tree, where you control what packages get in and when
- Knowledge that package Y needs to be rebuilt/deployed when upgrading package X (or revdep-rebuild any time you update something on staging server)
- A patched portage so that you can have local package revisions when you can't wait a few days for that security patch, but don't want to miss the next -rX version of the package when it comes out (http://bugs.gentoo.org/show_bug.cgi?id=152990)
- Manually check upstream errata for any packages you upgrade and make necessary adjustments to your configurations
- A subscription to security mailing lists; GLSA announcement list at the very least

This is a LOT of work, possibly even a part time job in and of itself. For many people, it is not a wise time investment when there are other distributions with thousands of smart people to perform these tasks for you (such as Debian). If you still want to run Gentoo servers, strap yourself in and get ready for a bumpy ride.

I don't want to give the impression that running Gentoo on servers is an impossible feat. If you follow the guidelines above, you end up with what is essentially your own custom Gentoo based distribution which you have full control over. There are some things that Gentoo has over any distribution out there:

- An amazing init system with dependencies, that doesn't try to take over the role of cron and dbus (*cough* upstart *cough*)
- The infamous Gentoo community: Gentoo-wiki and these forums
- Pretty console colors out of the box ;)

Here are the biggest "gotchas" that I've come across over the years:

- ABI incompatibilities: Any time you upgrade ANY package that provides shared libraries, check your reverse dependencies and build new binary packages for all of them with local revision bump (see portage patch mentioned above)
- Packages that go through a "revamp" very quickly drop support for old versions. If you were hoping to be able to install that GLSA update to dev-php/mod_php painlessly now that dev-php/php has replaced it, you've got another thing coming.
- You can never assume the stable ARCHs (x86 and amd64 at least) have gone through any sufficient quality assurance procedures -- You need to do your own!

Anyone trying to run a Gentoo server should understand all of the things I've mentioned here before you even consider installing it on a machine you intend to use in production.

If you take nothing else from this, at least pay heed to the following:

- Use a staging machine and binary packages if at all possible
- If you can't use a staging machine, use quickpkg and emerge --buildpkgonly when installing software for quick rollbacks
- Compile PHP so that all libraries are dynamically loaded at runtime!!
- Do not under any circumstances enable unstable keywords
- Never blindly 'emerge -u'
- As much as possible, use the same kernel version and .config
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5213

PostPosted: Mon Jan 29, 2007 6:20 am    Post subject: Reply with quote

mikegpitt wrote:
Rediulous post. I came across it on Slashdot. I'm happy to see that some of the comments (on Slashdot) are in favor of Gentoo.

Gentoo can definitely run on a server, and run well. I run Gentoo on a company development server and it works great. I run a script every day that syncs and runs glsa-check. Based on this a decide if I need to do any securoty updates or not. Other than that things stay mainly static. I can also alwyas count on my Gentoo server to get up to date if I need it to be, unlike other distros that may end support after a period of time.

Bottom line... you need to know how to use Gentoo if you want to put it on a server. I'm starting to get sick of people complaining about their terrible times with Gentoo, when it just seems that they really don't know enough about the administration of Gentoo.

BTW - If you don't want to do any compilation on the server, either use GRP releases, compile the packages in a staging environment, or use a portage BINHOST.


++

absolutely nothing wrong with running gentoo as a server. i have 4 of my own. :)
_________________
goodbye fgo. it was nice knowing you.
Back to top
View user's profile Send private message
brant
n00b
n00b


Joined: 12 Feb 2006
Posts: 5

PostPosted: Mon Jan 29, 2007 7:51 am    Post subject: Reply with quote

aksansai wrote:
I figured, why not file an RFE in bugs.gentoo.org?

https://bugs.gentoo.org/show_bug.cgi?id=164351


Josh Saddler wrote:

------- Comment #1 From Josh Saddler 2007-01-29 06:31:38 0000 [reply] -------

As an administrator, you should be using the glsa-check utility regularly; it
is part of gentoolkit. Also, it is up to the administrator to thoroughly search
the output of emerge -pvtuD (for example). These will serve to help better
inform you as to upgrade choices.

Please take this elsewhere, such as to the forums or the gentoo-user or
gentoo-dev mailing list; bugzilla is not a place to idly discuss ideas.
Back to top
View user's profile Send private message
DarKlajid
n00b
n00b


Joined: 06 Apr 2005
Posts: 2

PostPosted: Mon Jan 29, 2007 8:08 am    Post subject: Reply with quote

Keruskerfuerst wrote:
Config files:
In progress: overwrite unchanged config files without asking. I think this helps a bit. Maybe the developers should write an update program, which copies the changed parts (e.g. keyboard layout, timezone, clock settings) to the new config files.


Don't use etc-update. Use dispatch-conf.


Last edited by DarKlajid on Mon Jan 29, 2007 8:30 am; edited 1 time in total
Back to top
View user's profile Send private message
Keruskerfuerst
Veteran
Veteran


Joined: 01 Feb 2006
Posts: 1748

PostPosted: Mon Jan 29, 2007 8:13 am    Post subject: Reply with quote

I don´t use etc-update (I haven´t used it more than one time).
Back to top
View user's profile Send private message
cventers
n00b
n00b


Joined: 22 Jul 2005
Posts: 5

PostPosted: Mon Jan 29, 2007 9:07 am    Post subject: Reply with quote

I'm a die-hard gentoo user with gentoo on all of my desktops. I also have a rack of IT servers at work that run gentoo. If I were going to build another rack of servers, I'd pick another distribution, and I hate to say it.

Why? Gentoo isn't horrible as a server, but it has some flaws and lacking areas:

1. Old ebuilds are scrubbed from the portage tree when you sync. Thus, you often end up in a situation where you are simply forced to build a newer version of something.

2. etc-update. 'nuff said.

3. As far as I know, we still lack a good scriptable installer.

4. revdep-rebuild can get really hairy and leave you with a half broken system.

As a desktop there are still some flaws but I would cry like a little baby if I were forced to use anything else.

If I had all the time I wanted, I'd love to rewrite portage in 'C' and support transactional software and configuration upgrades, but alas... time is so consumed these days I barely have any time to use the computer as anything but a utility.


Last edited by cventers on Mon Jan 29, 2007 9:09 am; edited 1 time in total
Back to top
View user's profile Send private message
groovin
Guru
Guru


Joined: 07 Feb 2004
Posts: 429
Location: California, USA

PostPosted: Mon Jan 29, 2007 9:08 am    Post subject: i used to run several gentoo servers at work Reply with quote

if any of these systems went down, id be in trouble. they werent 24/7, but they had to be up 8-6 and weekends. first off, the important thing was backups. and backups i did. many many backups. i used rsync snapshots with hardlinks to snapshot the systems every hour keeping the backups on near line disks. before deploying any box, i made sure i could do a bare metal recovery using the bootable gentoo cd and rsync over and over again. so, i got to the point where i could do a full system restore in minutes (restoring large amounts of data took time, but thats why we had 'shared' redundand storage).

installing the boxes was not a problem, i practiced the installs enough times that a stage3 was a snap. and really, if you understand linux well, a stage3 shouldnt be too hard to do after a few tries. as for updating them, i didnt do a full emerge world scale update. i carefully watched the crucial packages for updates, did my research. then i would test everything carefully before doing the update on any boxes.

after a while, the time did come to change profiles, but again, i just did my research, read a few good threads in the forums, and privately pinged a few seasoned gentoo server admins here on the forums for advice and started experimenting on test systems. if something would go wrong (and nothing did) i had good backups that i could always revert to quickly.

so i guess my point in rambling is that you _can_be conservative when using gentoo.
Back to top
View user's profile Send private message
lu_zero
Developer
Developer


Joined: 05 Sep 2002
Posts: 49

PostPosted: Mon Jan 29, 2007 9:27 am    Post subject: Reply with quote

I'm not sure I want to give more popularity to this user, if he had had been a gentoo user in first place, BUT

- On freebsd you do more or less the same thing and strangely nobody

- Major mindless updates will end up in pain, no matter which distribution you are using, we are trying to give you the best tools to avoid or recover most of the issues.

- I waiting for slashdot pushing on the front-page "Debian considered harmful on server" because somebody messed up the repos list or "freebsd considered harmful on server" because he made universe every day. and felt like blogging about.

I'm getting sick of those destructive comments from people spitting on our voluntary contribution.
Back to top
View user's profile Send private message
frilled
Retired Dev
Retired Dev


Joined: 15 Mar 2004
Posts: 386
Location: Atlantis, inner city ring

PostPosted: Mon Jan 29, 2007 9:35 am    Post subject: Reply with quote

Well, there is some truth in all that. Over the last 4 years I have accumulated somewhat between 15 and 20 Gentoo production servers over here. I got in the Gentoo train because it was basically the only workable distro that does not have "releases". I had been burnt a lot by the "release" stuff in RH and especially SuSE, so the "moving window" approach seemed just right.

I still think of it as the right concept. Nevertheless, I have started building new boxes not based on Gentoo. The reason for that is that I can't afford the hassle anymore. Despite the roar that will follow this statement, from my point of view running production servers on Gentoo is quite some hassle.

There are factors that mitigate the problem, like usually fast support via IRC/bugzie (or even the forums), but it still takes an awful amount of time. Naturally, as I explained, I am a believer in constant updating. I don't know how *you* do it, but in my experience waiting out on updates on Gentoo leads to absolute desaster. If you wait too long, you will end up with a lot of *major* changes that require a lot of reading and following (usually well-written!) guides.

As most IT workers are aware, you shouldn't really change more than one thing on a working configuration, which is precisely the reason why I update often. Very often. It lowers the margin of error. I test most of the stuff in a test environment or virtual machines, but that's simply not possible for all systems.

There is one gotcha about Gentoo, though, that I wanted to do something about, but obviously failed to achieve blatantly. I can hear the screams "It's not true" even before I say it, but you can dig up lots and lots of comments backing this up on the mailing list, Planet Genteoo and possibly the Forums: A large fraction of Gentoo developers do not care about users. Please, calm down (he he) -- I'm not saying that Gentoo devs do not care about *individual* users, because they do. A lot. And they do care about making the stuff they maintain work. And the arch testers make sure they work even on platforms that very few people run.

Still, there is no "target". There is no minimal (well, of course, like kernel + baselayout + portage + compiler ...) set of stuff "guaranteed" to work. The concept of "moving window" only works if the whole tree moves within that window, and that is not necessarily the case. For example, I had to switch from heimdal to mit-krb5 and back to heimdal during the last years just to keep Samba operational (which, unfortunately, is a requirement for some of the work here). Sometimes I wasn't really able to keep Samba operational at all, which I though was because of upstream bugs (which it wasn't, BTW, but that does not really belong here).

The thing is, that Gentoo is run by a lot of enthusiasts, and it is a great thing to work on and work with, but mark the work "enthusiast". If somebody goes AWOL or simply loses interest in some part of the tree [s]he has been working on, there's trouble looming. Others will take over, eventually, but there's a "window of trouble", and the "moving window" will clash with that one ^_^

The dangers are controllable, at least for now, but there are already parts of the tree that I feel are neglected, but are critical for me. So I'll be proactively switching those boxes to something else. I guess that's what we mean by saying "right tool for the job".
_________________
"Failure is not an option!"
"Sir, we are out of further options."
Back to top
View user's profile Send private message
zeek
Guru
Guru


Joined: 16 Nov 2002
Posts: 478
Location: Bantayan Island

PostPosted: Mon Jan 29, 2007 9:37 am    Post subject: Reply with quote

Why do people hate Gentoo so much? I use and love Gentoo!

It seems to me that Gentoo has more people hating it than any other distro (except maybe Windows). Why don't people hate Slackware for instance?
Back to top
View user's profile Send private message
julot
n00b
n00b


Joined: 27 Aug 2003
Posts: 55
Location: Mexicus

PostPosted: Mon Jan 29, 2007 10:25 am    Post subject: My experience. Reply with quote

I have (and Had also), the following machines used as servers in my career, using gentoo:

- Intel Server Board CA810.
- Via Apollo Pro/133. (in a little school).
- 3 Suns VZ20 With dual Opteron/Numa, LSI Logic RAID etc etc 2 gb ram each.
- 1 Nocona with 3 GB RAM, 3ware Raid.
- 1 Prescott with 1 GB RAM LSI logic Raid 5.

And with no other OS (I used to use slackware and redhat also FreeBSD), has the power to anticipate and conquer the future like gentoo.

Ok, It is tricky, but one you implemented and learned a change in one system, the implementation of the others are a breeze.

With the Suns It was a 1 hr per day to do sync/emerge/revdep-rebuild in the three servers. And all was awesome.

So in other systems must be the same to do a successfull upgrade, just in Gentoo style is the OS who is claiming your attention to changes, And If you are accustomed to do so. You will not have any problems at all.

People maybe take for granted that all softeware is "firmware based" and not that every professional an rock solid implementation takes time. Ok gentoo full stage 1 to Kde system in a Pentium 3-866 mhz with 512 Mb ram, takes about 3 days.
But in the suns VZ20 if you format in BIOS the Raid 1 partition takes abour 3 days also to enable the 2 scsi disks!.

So maybe all the people are succumbing to the Microsoft and rpm/tar linux distros saga; installed in 1 hr and you take 1 week to enable with minimum security, but it is OK, you can "view your email" in the server, so it must be right.

Well. There are people for all, To me when I believed in the added value in gentoo was when I Installed Gentoo in a PAP-20 Microboard from Portwell Taiwan that refuses to work on FreeBSD embeeded.

So, Gentoo is an attitute, is Japanese Kaizen, is simply little changes to the steps of perfection, Ok it is not perfect, we know about it and It is not waste of time, is science!.

And of course the idea of a Gentooized FreeBSD to me is in extremis incredible ludicrous, maybe all software needs Gentoo Attitude. It wont hurt. countrary as many people claim.

Have a nice year Gentoo community, we know we are in the right track taking customizing level to the edge!. And in the end, Is just software, we can format an put IBM PC-DOS anytime ;)

Cheers.

Julio.
_________________
"Sine ira et studio" Tacitus. (c.56-c.177 AD).
(With neither anger nor partiality).
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5213

PostPosted: Mon Jan 29, 2007 10:56 am    Post subject: Reply with quote

zeek wrote:
Why do people hate Gentoo so much? I use and love Gentoo!

It seems to me that Gentoo has more people hating it than any other distro (except maybe Windows).


i can think of 2 reasons.

1) most people aren't linux pro's yet
2) some people are elitists, or some people enjoy bashing noobs whose only goal is to learn something new
_________________
goodbye fgo. it was nice knowing you.
Back to top
View user's profile Send private message
valkyrite
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 241

PostPosted: Mon Jan 29, 2007 11:33 am    Post subject: Reply with quote

Slashdotted

http://linux.slashdot.org/linux/07/01/28/2227232.shtml

:cry:
Back to top
View user's profile Send private message
kaosone
Guru
Guru


Joined: 01 Feb 2004
Posts: 446

PostPosted: Mon Jan 29, 2007 11:59 am    Post subject: Reply with quote

i have 3 servers running gentoo, they require much more than a debian based distro, i won't use gentoo anymore on servers :\ but i still love it on my desktop :D
Back to top
View user's profile Send private message
St.Paul
n00b
n00b


Joined: 03 Jan 2007
Posts: 5
Location: Sao Paulo, Brazil

PostPosted: Mon Jan 29, 2007 12:28 pm    Post subject: Reply with quote

Hello... I often browse the forums, but due the of my skills with the english language (I can read perfectly). Well... the same with Slashdot.

This time I couldn't stand and posted my own opinions about this matter on Slashdot.
I totally agree that that the author didn't review Gentoo as it should.

http://linux.slashdot.org/comments.pl?sid=219274&cid=17797752
_________________
:WEIRDORAMA:
Jabber/Gtalk: stpaul at 0xbadc0ffe dot org
My PGP Pubkey
Back to top
View user's profile Send private message
Hideki
n00b
n00b


Joined: 09 Mar 2003
Posts: 74

PostPosted: Mon Jan 29, 2007 12:47 pm    Post subject: Reply with quote

> If somebody goes AWOL or simply loses interest in some part of the tree [s]he has been working on, there's trouble looming.

You know, basically what's needed on production servers are big name applications, namely apache, bind, postfix etc. I'm pretty damn sure that those aren't maintained (upstream or here) by just a few enthusiasts and as they go on vacation those packages won't simply fall. If you absolutely need some minor packages, that's your problem, obviously, if a package is minor, the upstream is minor too and there's nothing you can do about it unless you give a hand or find a bigger audience package, so that's not the Gentoo's fault.

I see that some big name packages also does break rarely from time to time, be it the developer's fault, or your fault for the lack of reading the right document on updates, but still, like everyone else says, if you have a test box to build and roll out the binaries with glsa mailing list applied, I don't see there's any critical problem using Gentoo as production server, and as someone points out, I don't like the 'Release' updates that change alot of things. OpenBSD even tells you, you should wipe out and install clean from scratch :lol: And no upgrades are supported by jumping releases, so if you don't do major updates every 6 months with some official document saying 'you may do this, this should be safe' and doesn't sound too conclusive, you end up reinstalling every time.

With the right mind, and the mind to keep your arch not in '~' situation with test boxes, I think it's good to go, and I'm planning to run servers on Gentoo on production soon.
People really complain about Gentoo when compile takes forever and that makes them feel slow or cluttered or whatever, but honestly... doing emerge sync and emerge -uDN every so often via cron isn't the only option. If you only see a minor upgrade on the -rX version bump, I think you can safely stay out of recompiling the entire thing, but only watch GLSA for any serious updates you might need. I wouldn't just blindly try to emerge every update, because why would I compile the whole thing for a simple configuration fix?

Besides, who in the sane mind want to install X and Firefox and much fatter kernel on servers like every other distro does by default? :lol:
Back to top
View user's profile Send private message
Hideki
n00b
n00b


Joined: 09 Mar 2003
Posts: 74

PostPosted: Mon Jan 29, 2007 1:14 pm    Post subject: Reply with quote

I just read the actual review and want to point out a few things.

This guy... somehow wants to squeeze out the last clock speed out of his ancient 486 or whatever he is using that took 3 days to compile his LAMP system...
Obviously he sees the point of Gentoo in figuring out the most ugly risky but somehow optimized GCC flag and try to feel good about it.

And the first few points he says about the disadvantage of using Gentoo as servers are... 'Install takes too long' :roll: :roll: :roll:
Wow... so, how long it takes, once installed, what's the disadvantage of using Gentoo as servers? You don't reinstall Gentoo every week...
Besides, at this time, he somehow tries from stage 1... when official doc tells him to use stage 3 by default and he argues Gentoo's strong point of 'compile everything' is now lost using stage 3... come on... If he wants more power, get a damn new machine than reuse your decade old machine...

> Since it takes a long time to compile a program, you usually don’t want to have to do it too often

Obviously, he has no idea of having a test build machine... and rather thinking to build a package on his used servers or something.

> Unfortunately Gentoo encourages you to update software on a frequent basis, just for the sake of updating.

Like I pointed out on upper post... You do not need to update for every single new portage update... someone write his email address on glsa for him... I hope he's not doing 'emerge --sync' every hour 'just for the sake of updating'. :wink:

> what you usually want to do is to set up a stable system and then forget about it.

:!: wow wow, who said you can forget about a production server once it runs in any OS out there! good god.

> You install security updates as needed but that’s it.

So, please do that on Gentoo too.

> A profile update will try to replace your basic system. If you are a system administrator, rather than a desktop user, this should be enough to scare the living daylights out of you!

If you don't know where to find the official Gentoo documentation, of course it scares the hell out of you. I'm rather scared to have Firefox installed on my server by default, but that's people's preference.

It's just Gentoo needs a commercial support, since there isn't anyone (that is major enough to be known worldwide) supports Gentoo, people say 'Gentoo breaks what do I do!'. Debian won't break as much as Gentoo because commercial support exist and their people keep things safe for you. So, obviously, if you try to sustain a Debian server yourself, saying things scare the hell out fast, then I think you end up having Debian broken too.

I mean, a simple Gentoo only has a 100 packages or so... against 300 installed default on Ubuntu or RedHat and you can really bypass upgrades if you don't want it...

> If you don’t need new features, and things are working, why change anything?

It is you, that is typing 'emerge -uDN world'

Things certainly change on Gentoo, but major app usually comes with a decent upgrade doc and if you DO have a test machine, what's the problem...
And this man forgot to figure out the compile advantage isn't only getting 10 more Mhz out of your CPU but it makes you compile things the way you want. Many binary comes with functions not compiled in to your needs (what if Postfix didn't come compiled with MySQL support when that's what you want? [just as an example]), in Gentoo you don't have to worry about that the binary provided sucks for you and you don't have to start going to official site and get the tar and do ./configure yourself.

And no one reinstalls Gentoo servers 3 times a year if they know where to find the doc.

Conclusion : Please stop crying already.


Last edited by Hideki on Mon Jan 29, 2007 1:20 pm; edited 2 times in total
Back to top
View user's profile Send private message
KermitTheFragger
n00b
n00b


Joined: 20 Aug 2004
Posts: 41
Location: Netherlands

PostPosted: Mon Jan 29, 2007 1:15 pm    Post subject: Reply with quote

The guy has a valid point (IMHO Offcourse).

I use gentoo for my desktop, but on my production servers I have Debian installed. It just costs less time to maintain them.
Back to top
View user's profile Send private message
Jeremy_Z
l33t
l33t


Joined: 05 Apr 2004
Posts: 671
Location: Shanghai

PostPosted: Mon Jan 29, 2007 2:01 pm    Post subject: Reply with quote

The thing is, all the good points in favor of Gentoo are in fact more suited to a desktop, and that is why we all love it. I really love to be able to take use of some arch specific optimization, customize my USE flags according to my need, being able to write my own ebuilds easily when i can't find X or Y in the tree, having really nice init-scripts, getting up-to-date versions of X or Y packages ...

I did install one Gentoo server once, but i do not remember any of those features being specifically helpful.. i think i have enough experience in Linux in general to get a Debian server working and to maintain it, but most importantly i expect that from any coworker that had Linux Server administration in is CV.

Besides i found many distro that give you a secured and working server in no time and that require nothing but the bare minimum to maintain.

In that area i find Gentoo is more Educational because you can learn much more with it than other distros with things like selinux, virtualisation, etc ... but adding complexity for the sake of it is not worth it in production environment, other people do it in an integrated manner ... with support.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals
Back to top
View user's profile Send private message
Hideki
n00b
n00b


Joined: 09 Mar 2003
Posts: 74

PostPosted: Mon Jan 29, 2007 2:29 pm    Post subject: Reply with quote

Desktop is less of a problem... honestly. You don't open up network services and even if some attacker gains read access to your system, so what? Not any worse than losing trust from your clients with client information roaming on the net.

And all the USE flag and the possibility to build your own binary is really for servers.
Who cares if your GNOME didn't have LDAP built in. But it does matter if your server software didn't have it.

Nothing really is secured in 'no time'... You have the illusion that Debian might be secure by default, it is true, if you don't run anything, but once you do, you do take time to make it secure no matter what OS you're using.

It isn't really complex... The compile takes time, and that just takes people's patience. It's no more complex than anything else, because applications run with their config files that are universal to any OS (to most extent). At least Gentoo tries to stay with the upstream by having able to configure everything under console, unlike RedHat, you need to learnhow to use the GUI config editor on top of the actual application configuration and figure out the editor doesn't support every config entries and ends up editing some of it by hand...

Support is a good call, but Gentoo doesn't have it, so it is support that is easing the maintenance, not the whole distro.
Back to top
View user's profile Send private message
Syntaxis
Guru
Guru


Joined: 28 Apr 2002
Posts: 511
Location: London, UK

PostPosted: Mon Jan 29, 2007 2:36 pm    Post subject: Reply with quote

Hideki wrote:
Review wrote:
You install security updates as needed but that's it.

So, please do that on Gentoo too.

Actually, the reviewer has a point. Gentoo doesn't really provide for this. Distributions like Debian, RHEL and CentOS have a "frozen" stable tree, to which critical updates such as security fixes (and only critical updates) are backported. Since Gentoo's "stable" branch is far more fluid, Gentoo users must upgrade to whatever version of the software's currently marked as stable in order to get a security update. That means accepting the entire diff between whatever version they had before and the new one - not just the security-related fix.

The reviewer didn't state it very clearly, but I believe that's what he meant.
_________________
The Debian User Forums - help them grow!
Back to top
View user's profile Send private message
massctrl
Apprentice
Apprentice


Joined: 19 Mar 2004
Posts: 156

PostPosted: Mon Jan 29, 2007 3:00 pm    Post subject: Reply with quote

My opinion is that the author of the article simply didn't have enough experience to handle a Gentoo setup.
Criticize a distro while it's clearly a lack of knowledge and experience!
I think this article says more about the author than Gentoo itself.
And of course Slashdot made a story out of it pffff shame on you too.


Last edited by massctrl on Mon Jan 29, 2007 3:28 pm; edited 1 time in total
Back to top
View user's profile Send private message
Clete2
Guru
Guru


Joined: 09 Aug 2003
Posts: 529
Location: Bloomington, Illinois

PostPosted: Mon Jan 29, 2007 3:25 pm    Post subject: Reply with quote

We've been Slashdotted. They say it seemed to stir up a lot of discussion, but this is a relatively short threat at only 2 pages...

As for my opinion, just run your system using x86 compilations (not ~x86) and make sure it's all stable and you should be fine. I would run Gentoo on a server, but I would never upgrade packages unless they found major security vulnerabilities. Gentoo is very liberal about making packages stable, so the stable ones are usually very stable (makes sense, huh? :P)
_________________
My Blog
Back to top
View user's profile Send private message
Jeremy_Z
l33t
l33t


Joined: 05 Apr 2004
Posts: 671
Location: Shanghai

PostPosted: Mon Jan 29, 2007 4:00 pm    Post subject: Reply with quote

Hideki wrote:

...
And all the USE flag and the possibility to build your own binary is really for servers.
Who cares if your GNOME didn't have LDAP built in. But it does matter if your server software didn't have it.

Nothing really is secured in 'no time'... You have the illusion that Debian might be secure by default, it is true, if you don't run anything, but once you do, you do take time to make it secure no matter what OS you're using.
...


Binary packages from a server distro will include what you need to make it work, the way it used in Gentoo is more in an opt out policy that could be useful security wise but you will rarely miss it. If some corporate software can use LDAP, i doubt a semi decent distro wont include that binary package.

Debian ain't secure by default and yes a distro (not an OS) can give you very good security defaults for some server roles that are well defined.

Distribution can do that as well as Gentoo can give you Postfix with default as openrelay or not.
What Gentoo will have more trouble to do is chosing for you the authentication backend, and shipping Postfix configured to use it ... only because it is Gentoo policy.

If i want a secure mail server with SMTP and SPOP i don't need to read thousands of howto if i can just google the right tool for that job. (and after i still have to convince *management* to use that, but that is another story)
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page Previous  1, 2, 3, 4  Next
Page 2 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum