Am 13.04.2016 um 15:12 schrieb Michael Orlitzky:
On 04/13/2016 01:26 AM, Ian Zimmerman wrote:On 2016-04-12 10:57 -0400, David Niklas wrote:You could use Gentoo, you get to configure it all yourself!Funny you'd say that, I _am_ actually switching to it - on my "workstation" role computers. I'm already over 50% over the hump, I think. But on "server type" computers, I just cannot spare a dedicated security branch. I really don't have the time, and more importantly the nerves, to scramble and recompile the world when each new vulnerability is announced.This shouldn't be worse on Gentoo than it is anywhere else. We have a mailing list, gentoo-announce [0], where security advisories get sent. But, they only get sent out once the vulnerability has been fixed and marked stable /everywhere/, so they often come a little late. Nevertheless, security issues are fixed ASAP: 1. Some vulnerability is found. 2. The security team opens a bug, and contacts the maintainer of the affected package. 3. A fix is committed to the tree. 4. The arch teams scramble to stabilize the version with the fix. 5. The announcement is sent out. As long as you follow a semi-regular update cycle, you shouldn't have to do anything special, even if you run a stable system. The affected package will be recompiled automatically as part of the updates. Any packages *depending on* that package (like, if they're statically linked to it) will also be recompiled. No need to recompile @world
enough problems by wasting time if you have to maintain 10, 20, 30 or more servers and in case of problems need fast downgrades - especially if you run virtual machines where all the compile jobs share hardware
besides that on a production server no compilers should be installed at all - the generation of malware which compiles itself is only a question of time
what gentoo would need to solve for professional environemnts is that you have one machine which pulls the updates, compiles them and apckage them in a way all other machines in the network can pull and apply them in precompiled from over ftp, http or whatever network protocol
we are doing the same even for Fedora servers where one machine which has all package sinstalled moves them from yum/dnf-cache to a repo folder, run createrepo and all other machines have only this repo enabled and so can do a "yum -y upgrade" which can be triggered over SSH directly from the admin machine with a "distribute-updates.sh" script and a own SSH key for that task
signature.asc
Description: OpenPGP digital signature
