[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Considering Debian (currently using Red Hat)



Fred Whipple said on Wed, Jan 14, 2004 at 09:56:35AM -0500:
> 1.)  One of the biggest reasons we went with Red Hat many years ago was 
> RPM.  Of course I know that Debian has a package system, and there're 
> constant arguments about which is better, if either.  What I wonder, 
> though, is how they compare for the purposes of security checking.  On a 
> Red Hat system, practically any file or directory outside of /home can 
> be found within the RPM database.  We can check each and every file, its 
> MD5 hash, etc.  It's like having a built-in Tripwire installation so 
> long as you trust the RPM database.  We've modified the RPM installation 
> such that we can trust it more than we trust Tripwire.  Do Debian 
> packages have similar security built-in?
 
Yes.   Debian packages contain an MD5 sum of all of the packages in the deb.
You can check these with the debsums tool.

However, Debian has several security scanners packaged that are probably better
than just using debsums; AIDE comes to mind.

> 2.)  A related reason we used Red Hat was that practically anything you 
> could want to use was pre-packaged in a simple to install RPM.  And they 
> were typically pretty high quality RPM's, and very often well 
> maintained.  Do admins typically find that they're able to find Debian 
> packages for most software they're typically interested in using?  I 
> realise this varries greatly between markets, but I guess what I'm 
> asking is do you usually find 70% of the packages you're interested in 
> in Debian package format, and well maintained?  80%?  Just a general idea.
 
Over 80%.  In general, I'd say that the more popular Debian packages are
extremely well maintained, while the smaller, less popular packages range from
extremely well maintained to pretty good.  I do end up backporting from
unstable to stable for a few packages that I want newer versions of.

> 3.)  I read quite a bit of the Web site, and see that in general, 
> releases seem to be very far and few between.  This is advantageous to 
> ISP's, of course, because we want things to just "work".  Is my 
> perception correct in that releases are far apart?  When is the next 
> release expected?  How significant is the difference from, say, 3.0 and 
> 3.1.  Can you just install a bunch of packages and call it an upgrade, 
> or do you have to go through a whole ordeal as you do between Red Hat .X 
> versions?

Stable releases are far apart; one every 1.5 - 2 years, historically.  Not sure
when the next release is; sometime this year (2004), hopefully.  Since 3.1
hasn't released yet, I'm not sure, but generally a new release involves a new
major kernel revision (2.2 -> 2.4, or 2.4 -> 2.6), a new major libc, and new
major releases of most of the important subsystems.

Debian makes a point of having upgrades being smooth and as painless as
possible; I've gone through two major upgrades by simply running `apt-get
dist-upgrade', and it worked well.  Obviously, you'll want to take precautions
and have time to test.

> 4.)  How long are previous versions maintainaned with patches and such?  
> Or to restate this, how long after a new version is released are you 
> FORCED to upgrade in order to maintain security?  How drastic are the 
> changes in between minor version increments (say, 3.0 to 3.1)?  For 
> example, Red Hat has tended to make significant kernel upgrades and 
> glibc upgrades in minor version changes, and has caused significant 
> incompatibilities that have caught us by surprise.
 
I believe you get about a year's grace period after a new release for security.
However, the security team are volunteers, and I think that they decide how
long to support the last stable release.

Minor version changes can be large; however, they are infrequent.  It wouldn't
be too out of line to consider every Debian release to be a major one.

> 5.)  Of course we'll be testing it extensively ourselves, but what would 
> you say the most significant differences, both from a user and an admin 
> perspective, are between Debian and <Brand X> Linux?  Or, maybe better 
> stated, why Debian?  I know that's a religeously charged question, but 
> at the moment our only position is "not RHL."  We're open to being 
> converted ;-)
 
From the user's standpoint, the differences should be minimal.  From an admin
perspective; some things are handled differently (network config jumps out,
Debian doesn't have /etc/sysconfig or similar), but generally things are the
same.  Debian tends to (IMHO) have a cleaner layout of files and configs than
other systems I've dealt with (FreeBSD, Redhat, SunOS 5.6).

> 6.)  And finally, if you care to toss in any ideas or info, I'm very 
> glad and excited to hear it.  For instance, if you were going to switch 
> all your systems within the next year, would you choose something else?  
> A BSD port?  Go back to Solaris?  Novell?  SCO?  Just kidding.

I think that FreeBSD is also a good choice to consider.  I like Debian's
package management better, but I've good experiences with FreeBSD also.

M

Attachment: pgpQVvcMzCFpG.pgp
Description: PGP signature


Reply to: