Today I saw a ‘how-to’ of what is supposed to be the ‘perfect server‘ setup. Well, the ‘perfect’ was not meant literally, but the setup is in fact very nice – from a functional point of view.

Open source is great, you can learn a lot from looking at the source code of an application, you can even fix a bug here and there, or code in a feature you always wanted. And all for free…

What bothered me with this setup was the excessive amount of custom compiled subsystems to make them all perform in the desired way. To get the system working is a nice achievement, but to keep it running in production would be a nightmare. This is a bad security practice on a binary package based distro, let me explain why.

The applications compiled from source do not integrate with the package manager, and if they do (rpmbuild), it’s just a dirty trick, to compile and build a package to install it. Usually the package is just included in the inventory; versioning is broken, dependencies broken, updates broken…

The administrator would have to track changes to the custom compiled subsystems, pick out the worthwhile updates, and watch for security fixes, patch, compile, reconfigure and test the system while keeping good uptime. That’s not good and you don’t want to do that, unless you are some kind of masochist!

Instead let’s use the resources of the respective distros packaging team. That’s what we have package management for. Use it! Each of the top distros has a dedicated team to keep the packages up-to-date.

If your distro does not natively provide the package you desire, look for optional or 3rd party repositories. Usually your requirements are not that unique, and the application is already prepackaged in one of the optional repositories. There is a good chance that the repositories are maintained well enough, and you’ll have updates available when needed.

Next time when you decide to install something, think – is it also maintainable?

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.