On Wed, 13 Jan 2010, da...@lang.hm wrote: > Remember that if it's not installed on the server it doesn't need to be
Excellent advice. I've encapsulated my thoughts on the subject here: http://practicalsysadmin.com/wiki/index.php/Minimum_Software > Along the same lines. for large applications (like Apache), don't enable Again, excellent advice to not enable features that are not needed. Apache is a great example. > features that you don't need. If possible compile your own so that the > features you don't need aren't even compiled. This makes it likely that I discourage organisations from compiling their own versions. The reason is that this shifts the responsibility for security updates from the vendor to the local sysadmins. The local sysadmins need to recompile and install the apps every time there is a vulnerability. This drives up the management overhead and raises other concerns... Will they always use the same compile time flags? I've even seen big vendors fail this one. Will they backport the patch or compile a new version? If they compile a new version then the behaviour may well change. A full test cycle would be needed before deployment, assuming it even passes. Will it be done in a timely fashion? Busy sysadmins might let it slip, to catastrophic consequences. Cheers, Rob -- Email: rob...@timetraveller.org IRC: Solver Web: http://www.practicalsysadmin.com I tried to change the world but they had a no-return policy _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
