LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributions

News and Editorials

Debian vs. FreeBSD as a Web Serving Platform, Part 2

March 2, 2005

This article was contributed by Ladislav Bodnar

In Part 1 of this article we looked at general differences between Debian GNU/Linux and FreeBSD from the point of view of a system administrator maintaining a web server. In the second part, we'll investigate the security aspects of each operating system and briefly look at some issues requiring consideration when migrating applications and scripts between Linux and BSD.

In this age of increasing Internet vandalism, it is vital that system administrators keep close eyes on vulnerabilities discovered in any of the software packages deployed on their servers. Luckily, both Debian and FreeBSD have developed solid infrastructures for keeping their operating systems patched and/or updated in a speedy manner whenever a security problem arises. However, the two differ radically in the way they implement these security updates. This is probably one area that will have the greatest weight on a system administrator's decision to choose an operating system, so let's get it out right away: keeping a Debian installation up-to-date with respect to security patches is extremely simple, straightforward, and well-established. On the other hand, keeping FreeBSD up-to-date is a complex issue involving many steps. While this might sound like a discouraging remark, there are certain advantages to the FreeBSD approach. We'll investigate these in the next few paragraphs.

A stable Debian release has a security team which is normally very fast in issuing security advisories and releasing patches to fix known vulnerabilities. System administrators running Debian systems can subscribe to the debian-security-announce mailing list, then every time a security advisory is announced on the list, a simple "apt-get update && apt-get upgrade" will patch all known security holes in the system. This is a simple, well-proven method that has worked for Debian for many years. It can even be automated so that patches are applied automatically (with a custom script or with cron-apt) on a daily basis, although many users prefer to oversee these updates, just in case something needs extra attention. It is important to realize that in a stable Debian branch, a package with a security problem is almost never upgraded to a later versions to fix the problem; instead, the existing version is patched to fix the vulnerable code. Apart from that, there is little else that needs to be said here. Because of the power of apt-get, combined with fast work of the Debian security team, it is extremely easy to maintain a Debian system that is free of security problems. This is perhaps the strongest case for using Debian stable as a web server.

Things are quite a bit more involved in FreeBSD. But before we get into the details, let's make one thing clear - an observation that may not be immediately apparent to a user who has been using a Linux distribution for a while and who is now looking to migrate to one of the BSD operating systems. As already mentioned in the first part of this article, FreeBSD consist of two independently maintained layers: a base system (commonly referred to as the "kernel and userland") and additional applications (or "ports" in BSD speak). This separation of the base system and applications has its advantages - as an example, administrators who are still running the legacy 4.x FreeBSD systems can install the latest versions of most applications without having to upgrade to the newer FreeBSD 5.x series. On the negative side, this separation means that they need to pay attention to security issues on two fronts - in the base system, and in any of the installed ports. These can be handled in several different ways, but BSD's "cvsup", with a combination of another automation tool, is probably the most common method in use.

First let's take a look at the base system. All administrators running FreeBSD should subscribe to the freebsd-security-notifications mailing list to keep informed about any security advisories issued by the FreeBSD project. This list is strictly limited to security issues found in the FreeBSD base system, never in the ports. As such, it is a low-volume list - in 2004 there were only 17 security advisories published on this list (in contrast, the Debian security team published a total of 228 security advisories during the same period).

Once system administrators receive a security advisory, they have three options. The first one (and the easiest) is to download and install the updated binary userland package or kernel. While this is generally a simple task, it is only relevant to systems running the FreeBSD GENERIC kernel and userland. In practice, however, most administrators will probably run a modified kernel and therefore will need to use one of the alternative update methods. The second option is manual patching; this involves downloading the patch, verifying the GPG signature, applying the patch, then recompiling the userland (or a part of it), kernel, or both. The third option is probably the most widely used - by tracking the security branch of a FreeBSD release, system administrators can use the cvsup tool to update their userland and kernel after each security advisory, then recompile both (if necessary), and reboot the system.

As for security issues in FreeBSD ports, probably the easiest way to keep informed about the potential vulnerabilities in any of the installed ports is with the "portaudit" tool. Portaudit uses the Vulnerability and eXposure Markup Language, an XML application for documenting security issues in a software package collection. Once installed, it will scan for security vulnerabilities once per day and report any problems as part of the FreeBSD's daily security report. When vulnerabilities are found, the administrator has a choice of either applying binary updates, or downloading updated ports and recompiling them on the system. Again, the former option is only relevant to vanilla systems and is rarely used in practice. Compiling ports, however, can be time-consuming; it involves updating the local ports tree with cvsup, then checking a relevant text file for potential caveats, before running the usual 'make install' command. Some packages might need manual intervention, while others might require that their dependencies be recompiled as well. To make the task of upgrading ports less tedious, many system administrators prefer to use "portupgrade", probably the best tool for this task. Nevertheless, even with portupgrade, manual intervention is often needed. It is worth mentioning that, besides cvsup, a new tool, called "portsnap" is gaining increasing acceptance among FreeBSD users.

An important consideration arises where administrators run mixed-OS environments, or decide to migrate custom applications and scripts from Linux to FreeBSD and vice versa. While most general-language scripts written in Perl or Python will work equally well on both system, shell scripts will often not. This is because most Linux distributions use GNU utilities, while BSD operating systems have developed their own shell utilities with arguments and switches that often differ from the GNU ones. A good case in point is "sed", which is part of the FreeBSD userland and which sometimes behaves differently from GNU sed. That said, GNU sed is available in FreeBSD as a port called "gsed", so something like 's/sed/gsed/g' might come handy to convert scripts between the two systems. Other shell scripts might need manual update - even commands like "date" or "stat" behave differently under the two operating systems.

Given the above analysis, it is clear that Debian GNU/Linux is a system administrator's dream come true. It is stable, secure, and extremely easy to maintain. Its main disadvantage is that stable releases are increasingly few and far between, so a Debian system tends to get out of date. If this is unacceptable, administrators have an option to install newer packages from third-party repositories or perhaps upgrade to one of the Debian-based distributions with more frequent stable releases, such as Ubuntu Linux. On the other hand, if it is desirable to keep applications up-to-date to take advantage of new features in them, FreeBSD is hard to beat. The applications in its ports tree are maintained independently of the base system and can be updated regularly with relative ease. On the negative side, maintaining a FreeBSD system and keeping it up-to-date with security and bug-fix updates is a complex and time-consuming task, sometimes requiring hours of compiling software.

Comments (9 posted)

Distribution News

Minutes from the Fedora Extras Steering Committee

Click below for the minutes from the February 24, 2005 meeting of the Fedora Extras Steering Committee. Included are pointers to the schedule for Fedora Extras, news about the creation of an accounts system, the CVS infrastructure and more.

Full Story (comments: none)

Ubuntu Community Council Meetings

The summaries and full logs of the last two Ubuntu Community Council Meetings are available. For the meeting on February 8 topics included Reply-To Redux (for ubuntu-users list), LoCo Teams, and New Members and Maintainers. Here is the summary and the full log. The next meeting was held February 22, with a look at Reply-To revisited, a new MOTU (Master Of The Universe) to review packages, a review of LoCo team leader candidates, and more. Here is the summary and the full log.

Comments (none posted)

Debian GNU/Linux

Here is the latest update on Debian Project Leader Election 2005. There are six candidates: Matthew Garrett, Andreas Schuldei, Angus Lees, Anthony Towns, Jonathan Walther and Branden Robinson. Platforms should be available soon, if they are not already posted at the Debian Vote 2005 website.

Bits from SPI looks at the latest news from SPI (Software in the Public Interest). There are some new pages at the web site, one for meetings another now accepts donations by check from Canada, plus a president's page and a secretary's page. The next SPI meeting will be held on IRC on March 15, 2005.

Comments (none posted)

Dropline Releases Gnome 2.8.3 for Slackware

Dropline GNOME has announced the release of Dropline GNOME 2.8.3 desktop, for Slackware Linux. This release has been built for Slackware 10.0, it has also been tested on Slackware 10.1.

Comments (none posted)

New Distributions

Asterisk Live!

Asterisk PBX is Linux based, open source PBX software that provides voice over IP in three protocols and is interoperable with most standards-based telephony equipment using comparatively inexpensive hardware. If you want an easy way to play around with Asterisk check out Asterisk Live! This distribution is available as a Live CD and a Compact Flash install. The Getting Started With Asterisk guide provides an excellent starting point for both Asterisk and Asterisk Live!

Comments (none posted)

BioBrew Linux

BioBrew Linux is an open source Linux distribution based on the NPACI Rocks cluster software and enhanced for bioinformaticists and life scientists. It automates cluster installation, includes all the HPC software a cluster enthusiast needs, and contains popular bioinformatics applications.

Comments (none posted)

Pie Box Enterprise Linux 4 AS launched

Pie Box Enterprise Linux is a product of UK-based PixExcel. This distribution is built from Red Hat source RPMs to remain compatible with Red Hat Enterprise Linux. The lastest offering, Pie Box Enterprise Linux 4 AS was announced (click below) February 28, 2005.

Full Story (comments: none)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for March 1, 2005 is out, with a look at an open letter to OASIS, an update on the Sarge release status, Debian Cluster Components, a report on Debian at LinuxWorld, GNU/Hurd progress with L4, some answers to common release questions, a status update for the AMD64 Port, and more.

Full Story (comments: 20)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of February 28, 2005 is out. This issue covers the first European Gentoo developer meeting, Gentoo at FOSDEM 2005, package updates from the Gentoo Apache Team, new documentation for Gentoo/FreeBSD, and several other topics.

Full Story (comments: 1)

Ubuntu MOTU report - Issue 1

Ubuntu fans are already accustomed to the term Universe as the repository of packages available for Ubuntu, but not part of the core system. MOTU or Masters Of The Universe are those people who maintain packages in Universe. In this first issue of the MOTU report the current team is introduced, there's a look at how to get involved, and a look at future plans.

Full Story (comments: none)

Ubuntu Traffic #23

Here is the Ubuntu Traffic covering the final week in January. Some of the threads covered include Testing Language Packs, Fedora Plans and Ubuntu, Array CD 3, GTK2 CD Burning in Hoary, Translating and Rosetta, Ubuntu Documentation Team Happenings, and more.

Comments (none posted)

DistroWatch Weekly, Issue 89

The DistroWatch Weekly for February 28, 2005 is out. "Welcome to this year's 9th issue of DistroWatch Weekly! In this week's issue we will take a look at Fedora Core 4 which, despite its delay, is no doubt going to be an exciting release with many new features. Mandrakesoft and Conectiva announced a surprise merger last week, but don't expect their products to merge too, at least not in the short term. And those who are thinking about buying the recently released Red Hat Enterprise Linux 4 can now sign up for a 30-day evaluation period at no cost. Many more topics are covered in this issue, so without further ado: happy reading!"

Comments (none posted)

Minor distribution updates

Lineox Releases Lineox Enterprise Linux 4.0

Lineox has released Lineox Enterprise Linux 4.0, built from Red Hat Enterprise Linux 4.0 source packages. "Lineox has replaced some graphics files and changed or replaced some other files mainly because of trademark issues while retaining full compatibility. This release includes also updated packages which were built from 28 source packages..."

Full Story (comments: none)

Puppy Linux Unleashed

Puppy Linux has released Puppy Linux version 0.9.9, and the first official release of Puppy Unleashed. "If Puppy does not have the application you need, now there is a very simple solution: use Puppy Unleashed to create your own custom live-CD or USB-stick with exactly the apps you need. Even get Puppy smaller if you want, like 35M or less. Unleashed currently has about 260 packages, and our Puppy enthusiasts are preparing more. The build script is highly intelligent, with dependency checking and automatic generation of menus for the window managers."

Full Story (comments: none)

tinysofa

tinysofa has released tinysofa enterprise server v2.0 Update 1 (Odin). "This maintenance release incorporates updates issued since the release of 2.0 and addresses all known security issues."

Comments (none posted)

Package updates

Fedora Core updates

Fedora Core 3 updates: gimp-help-2-0.1.0.7.0.fc3.1 (version 2-0.7), bind-9.2.5rc1-1 (upgrade to ISC BIND v9.2.5rc1), gnucash-1.8.11-0.fc3 (upgrade to v1.8.11), dhcp-3.0.1-40_FC3 (bug fixes), at-3.1.8-64_FC3 (now supports access control with PAM), vixie-cron-4.1-24_FC3 (bug fixes and enhancements), lam-7.1.1-1_FC3 (upgrade to v7.1.1), pvm-3.4.5-2_FC3 (bug fixes), radvd-0.7.3-1_FC3 (upgrade to v0.7.3), selinux-policy-targeted-1.17.30-2.83 (allow squirrelmail spell checking to work), openoffice.org-1.1.3-6.5.0.fc3 (fix individual programs not launching), tcsh-6.13-10.FC3.1 (fix incorrect message output), gamin-0.0.25-1.FC3 (fixes some problems with gamin-0.0.24).

Comments (none posted)

Trustix Secure Linux Bugfix Advisory

Trustix Secure Linux has issued a bug fix advisory for cyrus-imapd, dev, postfix, ppp, samba, and squid. Click below for details.

Full Story (comments: none)

Newsletters and articles of interest

NetBSD 2.0 Rendezvous (O'ReillyNet)

O'ReillyNet has an interview with several core NetBSD developers. "NetBSD's goal is to port the OS to as many platforms as it can. Which missing platforms would you like to support?
Christos Zoulas: We are currently working on IA64 and we should have something to show soon. As far as other platforms go, it is quite random."

Comments (none posted)

Distribution reviews

Desktop Face-Off: Xandros vs. Mepis (Linux Times.net)

Linux Times.net compares Xandros v3 Open Circulation Edition with SimplyMEPIS 2004.6. "Xandros is a commercial company, but they are offering the so called "Open Circulation Edition" for free download via BitTorrent. However, the OCE does not have all the features as the boxed versions, but more about this later. SimplyMEPIS on the other hand gives you a full version of MEPIS, while they ask you to register your copy by making a small donation."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds