On Sun, Nov 2, 2008 at 3:27 PM, Jeffrey Watts jeffrey.w.watts@gmail.com wrote:
In regards to uniquely compiled binaries - this would make auditing and testing a nightmare. If you have 100 identical webservers, having 100 different Apache binaries is a terrible idea. You want to have a test environment where you test ONE binary and deploy that ONE binary across the entire platform. You can then guarantee that that tested binary will work properly and is secure.
Setting exactly that scenario up, to support internal distribution of binaries compiled once and pushed internally, happens to be easier to set up with Gentoo than with other distribution frameworks, which is why after several weeks of research I wound up recommending standardizing on an in-house Gentoo-derived system when I was tasked with the assignment of composing such a recomendation.
http://en.wikipedia.org/wiki/Portage_(software)#Binary_Packages
The feature set I was looking for included:
* an existing stream of security patches and ease of application * rapid deployment of new nodes * rapid configuration of a new node into a standard configuration * easy definition of standard configurations * no interference with upstream patches to packages in use
This list does not include "vendor support." The client for whom I made that call takes great pride in the depth and breadth of their system administration skills.
I was surprised by my finding, as I am a fan of Debian, but setting up and maintaining in-house ebuilds happens to take fewer keystrokes than setting up and maintaining custom debs, especially when it comes to selecting from available updates.
I do not know if the client for whom I made the recommendation has followed it or not. I am curious, I would appreciate it if anyone on this list who still works there could give me an update on the progress of that project.