| |||||||||||||
|
| |||||||||||||
Who runs the default vendor package applications for production anyway ?Who runs the default vendor package applications for production anyway ?Posted Mar 23, 2005 19:23 UTC (Wed) by Spike (guest, #14160)Parent article: Security Innovation's Microsoft/Linux web server security study When I install a LAMP stack on a production web application/database host(s), I never use the vender installed stuff anyway. If I run apache/php/perl/mysql on a host. I compile locally for the options I want and the patch/version control that is needed for secure feature rich sites. When a patch is announced, if the host(s)is/are vulnerable, I can patch ASAP. I would imagine most professionally run environments are run this way as well. These packages in my opinion are placed and maintained for convience of users and are really usable only for internal applications where evil doers are less likely to tread.
(Log in to post comments)
Who runs the default vendor package applications for production anyway ? Posted Mar 29, 2005 19:42 UTC (Tue) by dps (subscriber, #5725) [Link] I think my network counts as a "professional environment". I mostly run debian binary packages (woody and a 2.4.x kernel), seriously minimised. I roll my own kernels and frequently compile in everything I need and disable modules. 2.2.x kernel lack IP tables so are too conversative for my taste.
Tracking the security of everything installed everywhere would require more time than I have to keep the system happy, so apt-get upgrade is worth a lot. This does not mean I would not roll my own fixed version for something serious not covered by a DSA.
The major limitation of debain, RH, etc vendor packages is that it is hard to know the coverage of their backported fixes.
BTW almost all M$ bxoen run 100% vendor packages and only the vendor can provide security fixes. Even if get the source, AFAIK M$ "shared source" does not allow you actually fix a problem and use the fixed version.
|
|
||||||||||||