Avoiding source code on production servers

Neil Neely neil at neely.cx
Sat May 23 15:09:24 UTC 2009 

Tonix (Antonio Nati) wrote:
> I'm in the phase of planning my new generation of FreeBSD servers, and 
> I would love to make them more easy to upgrade.
> Main problem I have currently is I do not want any source code on 
> production server, so freebsd-update is welcome, but... what about 
> packages?
> I would use packages, but they are not easy to upgrade, while ports 
> can be easy to upgrade, but need to have sources an servers.
The weakness of FreeBSD here is very unfortunate and IMO goes far beyond 
just source vs binary distribution.  Working in a mixed environment 
where we have begun heavily using CentOS and utilizing yum it's obvious 
how far behind FreeBSD has fallen in this space.  Ports lack any kind of 
concept of  "Long Term Stable", so if you are running anything in ports 
(like say perl...) then when a security issue comes out you end up 
having to install new versions - the default is not to patch the older 
versions.  For non-production environments that is likely fine, but for 
major production services it is a painful scenario.  So you aren't just 
fixing security you are mixing in the concept of adjusting functionality 
as well.

(A recent perl "security" upgrade moved perl to a new version which 
broke compatibility with the Crypt::CBC module requiring a reinstall - 
the new version of that from ports forced salting when it hadn't 
previously and now applications were needing to be recoded to get it all 
working again.)

At the end of the day FreeBSD of course lets you have all the power to 
just apply the patches yourself to the source and you would be fine.  At 
the cost that you need to be doing all of this work yourself and can't 
rely on nice management tools to help you.  Every problem I've ever 
encountered with FreeBSD can be easily handled by a FreeBSD expert - but 
when I bring in a new green admin they have a heck of a time making any 
sense of it and I'm drug back into the trenches of managing all this.

Why the contrast is extra frustrating is that it takes considerable 
skill and understanding of the details of an environment to safely 
update a production FreeBSD server.  Contrast this with CentOS where an 
extremely green admin can easily manage it with minimal instruction. 
Unlike with the FreeBSD process this has no risk that it will cause 
cascading complex issues that require application modification to 
restore them to operation.

I've been using FreeBSD since the 2.x days in '96 or so, and I love it - 
my tone is critical because I'm sad to see the state of things and 
doubly sad that I don't have the time to volunteer with the project to 
help do something about it.  In most ways I consider FreeBSD superior to 
any linux, however this core issue of maintenance over time has been 
driving our shift to using CentOS over the last few years.  If a "Long 
Term Stable Port Tree" concept were to come along I think that would 
plug the hole here.  While I lack the time to lead such a charge, I 
would be happy to assist if such an effort were to get launched. 

-- 
Neil Neely
http://neil-neely.blogspot.com/

More information about the freebsd-isp mailing list