Why I'm dropping recommendation of Gentoo

[labrador]

I've been using Gentoo for a year and 1/2. It has worked fairly
well for me, but I've come to the point where I have to conclude
I spend too much time on maintenance, and I am starting to
have serious concerns regarding the very short QA time Gentoo
has between unstable and stable.

I'm a user who likes to update to the latest security fixes once a week.
I use emerge -uD world, (checking pretend first), and typically
something will go wrong with building a package, or a package
update will break existing functionality.

Here are a list of things Gentoo does wrong:

• * purely security related updates not available as emerge option

• * QA isn't catching serious flaws that seem to hit dozens of people when package released to stable

• * packages that require unstable packages are being released by QA

• * important package release information has no way to reach user reliably
  (ewarnings are buried in thousands of lines of output, scanning changelogs isn't practical)

As a result of the above, Gentoo is a high maintenance distro, and I don't have the time
to chase through the constant stream of issues arising from my 3 personal machines
running it. It will be tough chosing a replacement, and on the Sun I just might stick
with it since there are not many choices.

To balance, here are some things Gentoo does right that play a crucial role in its success:

• * User Forums - this just wouldn't work as a mailing list!

• * Well written Docs and Guides, with highly readable layout

• * Portage - excellent package management system

• * Community - forums and GWN and the people here are very good at keeping people connected

• * Incremental upgrades design - never install it again

[kimchi_sg]

Goodbye.

[AlterEgo]

There's no need for emerge -uD world, just emerge -u world whenever you feel like it, and most of the issues you describe are gone.
Second: subscribe to the Gentoo security mailing list, and act accordingly if security issues affect you.
My maintenance time (not compile time ) is less than 5 minutes a week.

[labrador]

Both redhat and debian make it possible to ask for only security updates.
Gentoo doesn't have it.

The issue is high maintenance. Reading security bulletins and trying
to figure out if I have those packages on each system is very time consuming.
I have 472 packages on one of my systems. I'm not going to commit that
to memory times 3. Try it yourself without using qpkg or another query.
Do you have x11-libs/libzvt on your system? What about sys-apps/attr ,
net-dns/libidn or media-sound/ogmtools?

As for emerge -u or -uD - it doesn't matter. The things I've seen break
would happen either way. In any case, -D in theory should be better
because it recompiles dependancies.

There is a fundamental philosophical problem I have with the Gentoo developer
way of thinking, and the response above is an example of it. The workarounds,
like reading security bulletins, or such as installing someone's private
script to pull ewarnings out of emerge sessions, are not recognized
as issues that need fixing in the core design of the OS.

I'm having problems with having time to maintain 3 systems. How would
a sysadmin maintain a server room of Gentoo boxes (assuming they
were being updated regularly)? If Gentoo doesn't address the high maintenance,
Gentoo will remain a hobby system.

Two years after someone made a bug report requesting that we have a way to
raise the visibility of ewarnings, there is still no official Gentoo solution to this.
I could use the privately developed script to do it, but I won't because it won't
be part of the Gentoo OS. I am not using hacks where a properly designed
and integrated solution should be created. Why? Because I want it to be
part of the QA'ed release. I don't want to find out that the script is unreliable
or does something wierd because it isn't an official part of Gentoo portage's
tools and something had changed.

[TrueDFX]

Security updates can be handled with glsa-check. It's part of gentoolkit.

[Q-collective]

Both redhat and debian make it possible to ask for only security updates.
Gentoo doesn't have it.

Ever heard of glsa-check?

As for emerge -u or -uD - it doesn't matter. The things I've seen break
would happen either way. In any case, -D in theory should be better
because it recompiles dependancies.

You are absoluely right here, I think Gentoo needs a new tree for the people that rely on stability, call it "arch-stable" as opposed to "arch"

I'm having problems with having time to maintain 3 systems. How would
a sysadmin maintain a server room of Gentoo boxes (assuming they
were being updated regularly)? If Gentoo doesn't address the high maintenance,
Gentoo will remain a hobby system.

Correct

[Syntaxis]

Both redhat and debian make it possible to ask for only security updates.
Gentoo doesn't have it.

Ever heard of glsa-check?

Glsa-check is an improvement, but still not enough. True security-only updates would require backporting of security patches.

[Cintra]

Two years after someone made a bug report requesting that we have a way to
raise the visibility of ewarnings, there is still no official Gentoo solution to this.
I could use the privately developed script to do it, but I won't because it won't
be part of the Gentoo OS. I am not using hacks where a properly designed
and integrated solution should be created. Why? Because I want it to be
part of the QA'ed release. I don't want to find out that the script is unreliable
or does something wierd because it isn't an official part of Gentoo portage's
tools and something had changed.

You are clearly an intelligent person, and your comments should be considered seriously, but I can't feeling your attitude to portlog-info (should that be the script in mind) strikes me as rather 'cut of your nose to spite your face)
Running 'portlog-info --since=xx' after a bunch of emerges simply makes good sense - it should be added to gentoolkit ASAP.
Mvh

[marcion]

Well one option would be to offer emerge --security-updates. However if you think about it, one person's non-essential update is a vulnerability that is a show-stopper to another person's system, depending on how it was setup. If you had:

emerge --security-server
emerge --security-desktop
emerge --security-dev-server
emerge --security-filesharingteenager
and so on and so on.

You could basically go on for ever. Who would maintain these? If it is business critical to you and other people then you could cough up some money for it I suppose. At the end of the day, free software means that you are in charge of your own system, and therefore have to learn the issues yourself. MC$haft offers an overall security update service, does it help? Not really.

No offence but if you have 3 computers it doesn't sound like a nuclear power station or a credit card company. Someone could use a security risk in Tux Racer to take over my system but who basically can be bothered. The world would not end if they did. Computers are one of the most secure parts of a business, far more fraud and data loss etc happens through people stealing your bin bags at night or through annoyed employees going to the competition.

An emerge --security might give a fig leaf covering of security but basically the whole system needs to be secure. Near-perfect security would require a feature freeze and then a team to maintain that level of features, I think that is a waste of effort. Computers are about making compromises and finding a happy average and being able to survive if something does go wrong. I also like the idea that the brightest people who are working on the latest packages and know most about them are the same people making them most secure too; rather than having two teams, a team of clever people who make new software and then the leftover dross who are left in charge of your security.

[Gherald]

Okay this "no security updates for old packages" thing has come up way too many times. I'm going to start polishing a rant that I'll link to every time this issue comes up. Here's the first draft:

-rant-

Bleh at everyone who complains about gentoo's lack of security-only updates. bleh, BLEH, BLEH!!!

It is completely antithetical to Gentoo's modus operandi of "rolling updates".

Gentoo developers do not maintain old versions of packages when there is a new stable version of the package that fixes the problem.

If this does not work for you, DO NOT USE GENTOO, and do not complain about it.

The Gentoo devs would love to be everything to everyone but they are busy focusing on NEW software and simply DO NOT HAVE TIME to backport patches to old versions. Why is this not a problem? There are other distributions (gasp!), particularly Debian, that already do an EXCELLENT job of maintaining a secure and stable package tree. Stable in this context means that you are very, very seldom forced to upgrade to a later version of a package in order to have the latest security patches.

This is basically the opposite of Gentoo's "upgrade to a new version at the first sign of danger" approach. Why? Because Debian maintains old versions of packages (which they call "stable"), whereas Gentoo just gives you the latest.

Is Debian more secure than Gentoo? No, the GLSA team and security.debian.org are both top notch security groups. But when it comes to package stability vs. running the latest and greatest software, pick your poison and STFU.

-done-

Obviously not a very rigorous presentation of the case, but the underlying reasoning is sound and I am just getting very tired of rehashing explanations to counter this fundamental misconception of what Gentoo should be.

[AlterEgo]

As for emerge -u or -uD - it doesn't matter. The things I've seen break
would happen either way. In any case, -D in theory should be better
because it recompiles dependancies.

I think you increase the risk of breaking "downstream" dependencies: if you update a package that is a dependency of eg. mplayer, there's a chance that mplayer will no longer work. Many people warn against -uD on these forums.

[labrador]

People have mentioned glsa-check. I did look at this briefly before and it
didn't seem useful. I run it just now and the first thing I see is:

# glsa-check -l
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.

So I'm supposed to be comfortable running this? There is no man page.

Secondly, I don't see how to save output from it in a way that emerge can handle.
I suppose I could pipe it through some sed expression or perl
to grab the names, but again, why should I invent something
that may eventually break and should be an option officially
built into the OS. However, it looks like the option I'd like to see
will be coming, according to the warning.

True security-only updates would require backporting of security patches.

The concept of a set of builds that are there for security reasons isn't that odd.
I'm not expecting back ports. I am only expecting to get a list of package
names that have been updated since my last "emerge -u security" (or whatever
it could be called) because of security issues, and not merely because the
version is bumped for some other reason. Why? Because it would allow me
to update only stuff that really needs it, not merely to get the bleeding edge
release of the week.

No offence but if you have 3 computers it doesn't sound like a nuclear power station or a credit card company. Someone could use a security risk in Tux Racer to take over my system but who basically can be bothered. The world would not end if they did.

Regarding my want of stable. I don't have to be running a credit card business
or nuclear power plant to desire protection of my system. My work is there,
and my personal communication is there, and I want to preserve and protect it.
I have as much right to that as any user.

Secondly, I take a dim view of users who do not secure their systems and
allow them to become virus/spam/ddos zombies. I don't want my system
to be used for evil purposes just because I was lazy about security.

You could basically go on for ever. Who would maintain these? If it is business critical to you and other people then you could cough up some money for it I suppose.

Does Debian expect users to pay for security only updates? The concept of
the costs involved is false. You already have the information in glsa - its just
a matter of building in the hooks with emerge. The warning I quoted
makes it sound like this is on the way.

Running 'portlog-info --since=xx' after a bunch of emerges simply makes good sense - it should be added to gentoolkit ASAP.

I agree. I'll run it when it is available. Until then, I don't want to add a layer of
complication by starting to rely on something that isn't official and isn't being maintained.
I've been there before.

If this does not work for you, DO NOT USE GENTOO, and do not complain about it.

I don't think Gentoo developers really feel this way.
Why are they asking for email on how Gentoo is being used?
Why did they run a user survey to see how Gentoo is being used and what
requests users have? My criticism is constructive criticism. It can be used
to make Gentoo better.

I said it before, after the user survey: if other distros discovered that only
18% of users have their flavour of Linux deployed in a production role,
I think they would freak out. Reading this as a lack of interest is
the wrong interpretation. It is like Canon saying that only 2% of its
customers use Linux. Perhaps if Canon had driver support for
their printers and scanners then 10% of their customers would
be Linux users - they can't really know until after they have built
the support. Likewise, if Gentoo was lower maintenance, and had
better QA on stable, perhaps the percentage used as production servers
would rocket upward.

[DNAspark99]

as a fellow sysadmin begining to deploy gentoo in a production environment, I fully agree with the validity of labrador's points. The resolution of these issues would complete gentoo fully, eliminating it's current weakpoints.

[Shadow Skill]

I would think it would be intelligent not to use a tool that warns that it is not official and may contain bugs that could cause some really annoying problems, I would not exactly call the use of such a tool a proper solution in a home or production environment. Having a flag that scans for security updates only is a more proper solution to that particular issue Labrador is having period end of story. In my own experience I have seen ebuilds that essentially point to files that do not exist on the default rsync servers, I have seen ebuilds that have been broken for about six months with the same same error which someone solved by editing a line in the ebuild file, I tried this fix and it still sucked up every last bit of ram and made killing the process impossible. This error was reported here on october 8th 2004 [I would assume there is an existing bug report for the ebuild at least as I do not think this is an actual bug in Pyqt at all.] and the last time I tried emerging pyqt with the fix the error was still present! So in that respect of QA I think I can feel Labrador's pain exquisitely. The "do not use this distro" flame really has no place when addressing genuine concerns, I would hope the developers don't have the same attitude.

[virtual]

Hi,

I don't get it only once has an upgrade caused problems which was'nt my own fault, and then just waiting a couple of days and then doing a emerge -uvD world fixed it.

I am an emergaholic and do an emerge -uvD world once a day. I use a nvidia card and have used several models from this manufacturer without problems, I have 2 p4 pc's with different motherbords and chipsets and one laptop with pentium M. I have no problems. It may be that the problem is in the applications you use, your CFLAGS or USE flags I don't know but from my limited experiance with Gentoo it's one of the easiest to maintain (if you don't use unstable packages of course) and very stable. It makes me wonder, I use KDE and a lot of KDE's packages, what packages make the system unstable because it's not portage or the toolchain (gcc 3.3.5 and so on)l

[charlieg]

As Larry the cow would say: Mooooo.

[Gherald]

Anyone here wanna take wag at what happens when an OS tries to be all things to all people?

Seriously folks, this security for old versions thing has been discussed many times before. I think the only reasonable conclusion is that gentoo does not have the dev time nor the motivation to be debian-stable-like.

Disagree with my assessment? Feel free to start your own side project to write ebuilds for backported patches. You won't get anywhere useful, and asking the current devs to take time away from what they do best would be selfish.

It is hard work to maintain old packages. Please, pick the right tool for the right job, and quit asking for the moon on a stick.

[labrador]

# glsa-check -l
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.

Please read the above. It states that some time, in the future, emerge
will have some sort of glsa-check hook. It's not impossible. It's just
a question of when. And again, I'm not expecting security patches
of old versions of stuff. It doesn't work like that with Gentoo since
only a few recent versions of any package are available in portage tree.

As for the other person who hasn't seen any problems yet, just keep
running 'emerge sync ; emerge -u world' and some day you'll find
a problem that you can't fix and you need to research on the forums
and bug reports. Most of the time there are others with the same problem
(QA didn't catch a commonly found flaw) and you can find
a solution of some sort. People find the answer there and say
hurray for the forums. I've been there and appreciated this.
But after the 100th experience like this, the novelty has worn off
and I ask myself why am I fighting problems when all I really
wanted to do was launch a browser and read the news
while I shave before work?

I could list the last 12 problems I've had but there isn't much point.
Just visit the Gentoo Portage forum and read the 12 most recent topics.
It will be the same sort of information.

[Gherald]

Please read the above. It states that some time, in the future, emerge
will have some sort of glsa-check hook. It's not impossible. It's just
a question of when. And again, I'm not expecting security patches
of old versions of stuff. It doesn't work like that with Gentoo since
only a few recent versions of any package are available in portage tree.

Yay, so you do understand. Sorry I mistook you for another freak who doesn't understand the difficulty of maintaining old packages.

As for the other person who hasn't seen any problems yet, just keep
running 'emerge sync ; emerge -u world' and some day you'll find
a problem that you can't fix and you need to research on the forums
and bug reports. Most of the time there are others with the same problem
(QA didn't catch a commonly found flaw) and you can find
a solution of some sort. People find the answer there and say
hurray for the forums. I've been there and appreciated this.
But after the 100th experience like this, the novelty has worn off
and I ask myself why am I fighting problems when all I really
wanted to do was launch a browser and read the news
while I shave before work?

Well if you want to be lazy about it, just skip things that fail to merge properly (using pye or somesuch) and wait for them to be fixed in the next release of the package. No harm done.

I for one tend to look at ebuild errors as being an opportunity to contribute something back with a bug report, rather than force the devs to go through overly extensive and time consuming QA testing. In my experience, the vast majority of errors I've encountered get fixed in portage within 24-30 hours. Why do you find this so terribly inconvenient when the previous version of the package continues to work fine?

[jsosic]

Labrador, this is a free world. If Gentoo takes too much of your time, choose Debian Woody, and you won't brake your dependencies. You won't need to recompile, so there wouldn't be any more compile errors and forum reasearches. It's rock stable, has reverse dependencies and great packaging system, not as strong as Portage but still strong enough. If you're not satisfied with Debian, chose any of the other 94238530294850398 distros around here. Try FreeBSD, maybe it will satisfy you. Nobodys pushing you to stay with Gentoo. Nobody kidnapped your daughter to keep you here.

But I don't understand ONE thing. Why aren't you ambarrased for criticising so much about gentoo security issues, and yet, I don't see your's contribution to Gentoo comunity? You except everything and you expect it for free. There isn't a application in portage tree? Don't request, ask if you can be a maintainer. You need maximal security? Try to become "grsec, thisec thatsec uber-duper secure hardened" kernel maintainer? STOP COMPLAINING. Buy a M$ product and than send them your wishlists!

This comunity doesn't need arrogant people requesting, demanding, wishing, wanting, debating and waiting on others to do something for them.

And one more thing, goodbye.

[labrador]

This comunity doesn't need arrogant people requesting, demanding, wishing, wanting, debating and waiting on others to do something for them.

And one more thing, goodbye.

Arrogant? Demanding? I hardly think so. But perhaps you should look in the mirror.

And you should look at some of the comments in this thread agreeing with
my points. Think about it, if you ran a restaurant, don't you want to
know why customers left? My feedback is a gift, not a curse, and
perhaps someday Gentoo will be better for people like me pointing
out the weaknesses in the system.

I'm made my share of bug reports, helped where I could in the forums, marked
[Resolved] on anything I started that was later figured out. I've been a good
Gentoo citizen and have enjoyed sharing discoveries and tips with people in my LUG.

One can only contribute where one has abilities and can offer something
new or improved. I'm not much of a C hack, so I don't even bother.

I did discover and partially develop one thing that doesn't exist anywhere else:
a method for cloning Sparc disks over the network from a network boot.

My proposed addition to the Sparc guides (or whatever the
developers want to do with it) is documented here:

http://dev.gentoo.org/~swift/sparc-disk ... guide.html

It isn't a great contribution - simply adding udpcast to a tftpboot image maker,
but it might be useful for some.

[hollywoodcole]

I don't understand why you guys waist your time replying to this post. I have seen allot of posts that start just like this and by now even to me its getting old. I see every other week someone saying something about how gentoo is unsecure and then go one to compare it to redhat and debian and how you can specify only security updates. Then they talk about they hate gentoo and are giving up on it.

Your not helping saying that your leaving gentoo alone, you should have just offered your suggestions!

I should hope by know from the number of post you have you know that you can make gentoo as stable and secure as you need it to be and also specify what packages you want!

Here is another option for people who complain, there's always Windows!

[Gherald]

I should hope by know from the number of post you have you know that you can make gentoo as stable and secure as you need it to be and also specify what packages you want!

No, that's pointless fanboy talk. A gentoo installation cannot be both stable and secure because many GLSA issues are resolved by upgrading to the latest version of a package, and that is not stable. Where do you think the "stable" in "Debian stable" comes from?

[djdunn]

its most of the time not a problem of QA when something breaks. emerge fails most of the time due to a configuration error.

[jsosic]

Labrador, you don't know what are you asking for. Whole another portage tree as someone mentioned... Another way to comply to your wishes is a "step back", for example x86 becomes "stable", and ~x86 becomes what x86 currently is. You and few alike would be satisfied, but allot of users would go away from Gentoo. Love it or not, Gentoo IS BLEEDING EDGE. Maybe one day third tree will be introduced, but what I am saying is stop demanding it and propose that thing to developers, start working on it and get your hands dirty. That kind of tree requests additional maintainers and lots of additional work to be done, but hey, you DON'T HAVE TIME to develop, improve, test. But you have time to argue on gentoo forums. Nice to know... Gentoo is a free product maintained and developed mainly by volunteers. And how do you know somebody else has a time for something that you don't?

I bow to KDE maintainers for braking KDE packages into pieces, but noone dared to demand such a huge effort from them, they did it themselves! Why can't you do the same thing? Take at least two packages and maintain their's stable version. Find another 50 people agreeing with you and make them maintain some other packages and here you go, you'll got a stable tree.

Every distro has it's advantages and disadvatages, so has gentoo. I admit, every now and then something breaks, especially from ~ tree, but nothin' horrible as you described it. Gentoo is a bleedingedge distro at the end. Shout at Redhat for Fedora havin' all those latest versions and not having them in stable branch with dozens of security fixes. Or buy Redhat Server for that purpose. It's the sam with Debian, use Woody. Why do you want to stay with Gentoo? To be cool or something? If it doesn't suit you, I repeat, there's a hundreds of other distros out there. That's the purpose of distro's, to fullfill what people demand.

What are you asking from Gentoo comunity is the same thing as if you asked Debian to abandon thing what they call stable at the moment (Woody), cause versions are very old and outdated. If you said that they should spend more time fixing Sarge and making Sid useable, than patching some prehistoric version of PAM. Try to do this on debian forums, and return us some quotes, will you?