Weekly Edition
Return to the Distributions page
| |||||||||||||
Debian vs. FreeBSD as a Web Serving Platform, Part 2
In Part 1 of this article we
looked at general differences between Debian GNU/Linux and FreeBSD from the
point of view of a system administrator maintaining a web server. In the
second part, we'll investigate the security aspects of each operating
system and briefly look at some issues requiring consideration when
migrating applications and scripts between Linux and BSD.
In this age of increasing Internet vandalism, it is vital that system administrators keep close eyes on vulnerabilities discovered in any of the software packages deployed on their servers. Luckily, both Debian and FreeBSD have developed solid infrastructures for keeping their operating systems patched and/or updated in a speedy manner whenever a security problem arises. However, the two differ radically in the way they implement these security updates. This is probably one area that will have the greatest weight on a system administrator's decision to choose an operating system, so let's get it out right away: keeping a Debian installation up-to-date with respect to security patches is extremely simple, straightforward, and well-established. On the other hand, keeping FreeBSD up-to-date is a complex issue involving many steps. While this might sound like a discouraging remark, there are certain advantages to the FreeBSD approach. We'll investigate these in the next few paragraphs. A stable Debian release has a security team which is normally very fast in issuing security advisories and releasing patches to fix known vulnerabilities. System administrators running Debian systems can subscribe to the debian-security-announce mailing list, then every time a security advisory is announced on the list, a simple "apt-get update && apt-get upgrade" will patch all known security holes in the system. This is a simple, well-proven method that has worked for Debian for many years. It can even be automated so that patches are applied automatically (with a custom script or with cron-apt) on a daily basis, although many users prefer to oversee these updates, just in case something needs extra attention. It is important to realize that in a stable Debian branch, a package with a security problem is almost never upgraded to a later versions to fix the problem; instead, the existing version is patched to fix the vulnerable code. Apart from that, there is little else that needs to be said here. Because of the power of apt-get, combined with fast work of the Debian security team, it is extremely easy to maintain a Debian system that is free of security problems. This is perhaps the strongest case for using Debian stable as a web server. Things are quite a bit more involved in FreeBSD. But before we get into the details, let's make one thing clear - an observation that may not be immediately apparent to a user who has been using a Linux distribution for a while and who is now looking to migrate to one of the BSD operating systems. As already mentioned in the first part of this article, FreeBSD consist of two independently maintained layers: a base system (commonly referred to as the "kernel and userland") and additional applications (or "ports" in BSD speak). This separation of the base system and applications has its advantages - as an example, administrators who are still running the legacy 4.x FreeBSD systems can install the latest versions of most applications without having to upgrade to the newer FreeBSD 5.x series. On the negative side, this separation means that they need to pay attention to security issues on two fronts - in the base system, and in any of the installed ports. These can be handled in several different ways, but BSD's "cvsup", with a combination of another automation tool, is probably the most common method in use. First let's take a look at the base system. All administrators running FreeBSD should subscribe to the freebsd-security-notifications mailing list to keep informed about any security advisories issued by the FreeBSD project. This list is strictly limited to security issues found in the FreeBSD base system, never in the ports. As such, it is a low-volume list - in 2004 there were only 17 security advisories published on this list (in contrast, the Debian security team published a total of 228 security advisories during the same period). Once system administrators receive a security advisory, they have three options. The first one (and the easiest) is to download and install the updated binary userland package or kernel. While this is generally a simple task, it is only relevant to systems running the FreeBSD GENERIC kernel and userland. In practice, however, most administrators will probably run a modified kernel and therefore will need to use one of the alternative update methods. The second option is manual patching; this involves downloading the patch, verifying the GPG signature, applying the patch, then recompiling the userland (or a part of it), kernel, or both. The third option is probably the most widely used - by tracking the security branch of a FreeBSD release, system administrators can use the cvsup tool to update their userland and kernel after each security advisory, then recompile both (if necessary), and reboot the system. As for security issues in FreeBSD ports, probably the easiest way to keep informed about the potential vulnerabilities in any of the installed ports is with the "portaudit" tool. Portaudit uses the Vulnerability and eXposure Markup Language, an XML application for documenting security issues in a software package collection. Once installed, it will scan for security vulnerabilities once per day and report any problems as part of the FreeBSD's daily security report. When vulnerabilities are found, the administrator has a choice of either applying binary updates, or downloading updated ports and recompiling them on the system. Again, the former option is only relevant to vanilla systems and is rarely used in practice. Compiling ports, however, can be time-consuming; it involves updating the local ports tree with cvsup, then checking a relevant text file for potential caveats, before running the usual 'make install' command. Some packages might need manual intervention, while others might require that their dependencies be recompiled as well. To make the task of upgrading ports less tedious, many system administrators prefer to use "portupgrade", probably the best tool for this task. Nevertheless, even with portupgrade, manual intervention is often needed. It is worth mentioning that, besides cvsup, a new tool, called "portsnap" is gaining increasing acceptance among FreeBSD users. An important consideration arises where administrators run mixed-OS environments, or decide to migrate custom applications and scripts from Linux to FreeBSD and vice versa. While most general-language scripts written in Perl or Python will work equally well on both system, shell scripts will often not. This is because most Linux distributions use GNU utilities, while BSD operating systems have developed their own shell utilities with arguments and switches that often differ from the GNU ones. A good case in point is "sed", which is part of the FreeBSD userland and which sometimes behaves differently from GNU sed. That said, GNU sed is available in FreeBSD as a port called "gsed", so something like 's/sed/gsed/g' might come handy to convert scripts between the two systems. Other shell scripts might need manual update - even commands like "date" or "stat" behave differently under the two operating systems. Given the above analysis, it is clear that Debian GNU/Linux is a system administrator's dream come true. It is stable, secure, and extremely easy to maintain. Its main disadvantage is that stable releases are increasingly few and far between, so a Debian system tends to get out of date. If this is unacceptable, administrators have an option to install newer packages from third-party repositories or perhaps upgrade to one of the Debian-based distributions with more frequent stable releases, such as Ubuntu Linux. On the other hand, if it is desirable to keep applications up-to-date to take advantage of new features in them, FreeBSD is hard to beat. The applications in its ports tree are maintained independently of the base system and can be updated regularly with relative ease. On the negative side, maintaining a FreeBSD system and keeping it up-to-date with security and bug-fix updates is a complex and time-consuming task, sometimes requiring hours of compiling software. (Log in to post comments)
Distinction without a difference Posted Mar 3, 2005 6:26 UTC (Thu) by ncm (subscriber, #165) [Link] I don't understand why comments on Part 1 were not addressed.It's trivial to run "unstable" packages on a "stable" Debian system, and get the same effect as running up-to-date ports on a BSD. (Not much of the "stable" library packages would remain untouched, of course, but that's all automatic.) It's a touch less easy, but still hardly more trouble than the equivalent using BSD ports, to use apt to build and install current releases of packages from testing or unstable against stable-version libraries. In practice, most of us just run some snapshot of unstable on our desktop machines, occasionally updating the packages under more active development. It has been years since any significant problem arose, for me. Since server environments are much less complicated than desktops, it must be mainly superstition that keeps Debian "testing" off of most servers. Certainly anybody willing to run Fedora has nothing to fear from "testing".
Distinction without a difference Posted Mar 3, 2005 15:19 UTC (Thu) by ballombe (subscriber, #9523) [Link] I concurr with you.
I run Debian stable with a sid chroot. I run stable with the one or two packages needing recent version (mainly spamassassin) running the chrooted version.
This stays completly painless to administer since you can upgrade stable and sid separatly, and sid cannot affect stable since it is chrooted. And with apt-listchanges, you know what you are up to when upgrading.
Distinction without a difference Posted Mar 4, 2005 14:48 UTC (Fri) by arafel (subscriber, #18557) [Link] testing is a bad choice for production servers because it receives no security updates.
Updates are generated for stable (by patching the version released at the time), and for unstable (by either patching the current version or including the new upstream); testing is on its own until the packages have migrated from unstable through to testing, which can take a few weeks.
Debian vs. FreeBSD as a Web Serving Platform, Part 2 Posted Mar 3, 2005 10:55 UTC (Thu) by Tet (subscriber, #5433) [Link] while BSD operating systems have developed their own shell utilities with arguments and switches that often differ from the GNU ones.That's a bit misleading. I would be more accurate to say that the GNU project has developed their own shell utilities with arguments and switches that often differ from the traditional Unix ones used by BSD.
Gnu utilities Posted Mar 8, 2005 14:04 UTC (Tue) by eru (subscriber, #2753) [Link] GNU project has developed their own shell utilities with arguments and switches that often differ from the traditional Unix ones used by BSD.These days the BSD distributions are also gradually adopting rewritten BSD -licensed versions of what used to be GNU project utilities in earlier versions. For an example, see NetBSD 2.0 release note at http://www.netbsd.org/Releases/formal-2.0/NetBSD-2.0.html and what it says about gzip and awk.
Debain for Servers == No Brainer Posted Mar 3, 2005 14:17 UTC (Thu) by alex (subscriber, #1355) [Link] I've run several servers using Debian and their policy of patch the problem not upgrade the package makes things so simple. I appreciate people with desktops want more upto date stuff but I like the fact I'm v.unlikey to have to tweak any config files for a security upgrade.
If I was adding capability to my server (for example prototyping things or adding new services) then maybe I'd consider the flexibility of BSD's ports (or even Gentoo?). As it happens the only non-stable package I have on my system is Spamassasin which I get from backports.org simply because fighting spam is an evolving war.
Debain for Servers == No Brainer Posted Mar 5, 2005 12:08 UTC (Sat) by tzafrir (subscriber, #11501) [Link] You're not alone in this war.
Debian vs. FreeBSD as a Web Serving Platform, Part 2 Posted Mar 5, 2005 12:05 UTC (Sat) by tzafrir (subscriber, #11501) [Link] For debian all the packages are part of the "system". All of them have to conform to the Debian Policy and are maintained by the security team etc.When I install a Debian package I normally expect it to have sane defaults, to put files in expected location, etc. even if the upstream package is more hostile and requires much more documentation reading.
I don't know FreeBSD, but from my understanding (and from reading the above two stories) it seems the same basically applies only for the base system and not for the packages in the ports collection.
RE: Things are quite a bit more involved in FreeBSD Posted Mar 14, 2005 0:18 UTC (Mon) by rcaught (guest, #28446) [Link] LWN being a "Linux info source" site, the majority of these comments are going to be of LWN account holding Linux users... not FreeBSD users. Please, prove me wrong. Readers, please keep this in mind.
Having used both Linux and FreeBSD, and now using FreeBSD primarily, I've taken the time as a FreeBSD user and created an account for the sole purpose of providing this URL: http://www.daemonology.net/freebsd-update/
"FreeBSD Update is a system for automatically building, distributing, fetching, and applying binary security updates for FreeBSD".
|
|||||||||||||