[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trusting Backports and unofficial Repositories

On Sun, Jul 18, 2004 at 01:20:50PM +0200, Philipp wrote:
> looking for a solution i came across apt-get.org and the unofficial
> repositories and backports they offer. now heres my question: 
> would you trust these archives for you production servers ? 

probably not.

> 1) Are you using unofficial repositories on production servers ?

no, i run unstable on several dozen production servers without a problem.  i
find that doing that is an excellent way of both keeping software up-to-date
and also keeping several months ahead of the script-kiddies.  i upgrade, on
average, once or twice a month by first upgrading my workstation (which
generally has the same packages as the servers for testing and development)
then, if that goes well, by upgrading the servers in priority of "importance"
(least important servers first - by the time i get around to upgrading the
really important servers i've gone through that particular upgrade over 20
times so any minor tweaks or adjustments that are needed are semi-automatic).

i also usually upgrade the core packages for each server individually (i.e.
"apt-get install package1 package2 ... packageN" rather than "apt-get
dist-upgrade") before doing a full dist-upgrade - e.g. for a mail server i
upgrade postfix and all other core mail packages first, for a database server,
i upgrade postgres first, for a web server, i upgrade apache etc first.

i do this to a) minimise downtime of the core functions (i.e. to make sure that
the packages are restarted very quickly instead of waiting for hundreds of
other packages to be configured and restarted); and b) to minimise any problems
- the fewer packages upgraded at any one time, the less chance of a problem and
the easier it is to notice and deal with it immediately.

point b above also avoids one major problem with running stable, which is that
every few years you do a major upgrade from the previous stable release to the
new one.  at that time you have a couple of years of cruft and configuration
changes to hundreds (if not thousands) of packages to tweak (or completely
rewrite/reconfigure), all at once and probably with users screaming at you
while you're working on it.  by regularly upgrading unstable, you get to deal
with the same issues in much smaller pieces, one or two at a time rather than
all at once.

i really don't see the point of stable+backports - installing backports defeats
the original purpose of running stable, it's like saying "i'll have a black
coffee......but with a little bit of cream"*, so you may as well run unstable.
at least with unstable, you know the package is done by the official debian
package maintainer, that it is of a high enough standard to get into the debian
archive, and that all the usual debian infrastructure (incl. bugs.debian.org)
is there to support it.  you also get a package that is tested by hundreds or
thousands of people who use unstable rather than the handful that use stable +
backports (or worse, you're the ONLY person with YOUR exact combination of
stable plus other packages).

(*) no matter how nice it is, it's not a black coffee any more.


craig sanders <cas@taz.net.au>

The next time you vote, remember that "Regime change begins at home"

Reply to: