----- "Brian Mathis" <brian.mat...@gmail.com> wrote: > On Thu, Jan 14, 2010 at 2:01 AM, <da...@lang.hm> wrote: > [...] > > Along the same lines. for large applications (like Apache), don't > enable > > features that you don't need. If possible compile your own so that > the > > features you don't need aren't even compiled. This makes it likely > that > > security patches for this application are not actually required for > your > > installation. > [...] > > David Lang > > I have to disagree here. If you are using an Enterprise Linux > distro, > you should not be compiling things yourself. It destroys the whole > point of using an Enterprise distro. They go to great lengths to > test > all the dependencies and ensure that you have a valid system. > Compiling your own blows this out of the water, especially if you > "make install" on the target system. It's only marginally better if > you roll your own RPMs and then install those.
I could see David's approach as viable if he has the time to baby the service. If a web service is his bread and butter (i.e. server farm of just those apaches/nginx/lighthttpds) and he does adequate testing, a custom-compile could be more secure, or even required. I have not been in such an environment. But, I imagine that some shops need custom-compiled applications for a particular functionality/performance threshold. With proper care, I could see it being more secure than the stock distro. Most folks should just stick with the enterprise release though. It's a lot more efficient to simply disable all but necessary modules. _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
