on Tue, Nov 20, 2001 at 01:38:11PM -0800, Mark Ferlatte (ferlatte@cryptio.net) wrote:
> On Tue, Nov 20, 2001 at 01:28:36PM -0600, David Batey wrote:
> > STABILITY: is Debian a good choice for heavy lifting?
>
> There are some legit concerns regarding the Linux kernel as opposed to
> the *BSD kernels as far as heavy lifting goes, but if you're
> considering Debian, then you probably feel that those concerns are
> addressed to your satisfaction. As far as distributions go, Debian's
> packaging quality is very high, and if you go with stable that's
> exactly what you get: serious stability.
Most of these boil down to the TCP/IP stack. The *BSD stack is damned
good, and the rest of the world drools after it. Linus himself admits
that Linux kernel networking code is a mess, and that he's not
personally a network hacker. That said, GNU/Linux works pretty well,
most of the time.
My own experience running GNU/Linux and OpenBSD (2.7) side-by-side is
that I get the odd freeze and restart on oBSD, but not GNU/Linux (unless
it's something I've done myself, usually involving crashing X). Typical
uptimes on both systems run months. UPS on the GNU/Linux box, I've
watched the oBSD walk straight through power flux that flickers the
lights, with nothing more than a surge protector.
> > I know about apt-get for easy installation of bug/security patches;
> > does the ease-of-install ever compromise security or functionality?
>
> Not in my experience.
I'll hit this point more specifically.
I'm going to swap out my OpenBSD system for a very light stable Debian
install.
OpenBSD offers a very tight, very secure, by default, system. What you
lose in the process are:
- Flexibility of configuration and modification. I like SysV init.
Theo rants how it sucks and is more complex. The Debian
implementation is damned good for GNU/Linux, is worlds better than
Red Hat's "gee, we could use another three levels of indirection,
let's put them in" crap, and makes starting, stopping, and
restarting services completely straightforward.
- Choice. You can choose the software you want to install. Much of
it is packaged for Debian. That which isn't you can install from
RPM (via alien) or compile from sources (use equivs to satisfy
deps). You can run the oBSD mods if they'll build, though there may
be compiler tweaks they've effected, I haven't dug into the system
that deeply. The *BSDs offer ports (and from what I've heard,
they're cool), but this puts you outside the envelope of security
audits provided by the oBSD core. apt-get source puts you near the
equivalent functionality of ports.
oBSD is pretty clear that it's a full *system*, not merely an
assembly of packages as is the case for many GNU/Linux distros
(Debian included). However, the collection of packages approach
means that Debian can offer many things to many people. oBSD is
pretty much "secure Unix clone, primary network services
orientation". Not a bad thing. But limited choice.
- Updates. oBSD's been making strides, but the reason I'm still
running 2.7 (3.0 is now out) is that updates are nontrivial. The
box I'm writing this on was live-updated from Slink through to Sid
(actually, it was live-updated from RH 6.2, but that's another
story). While oBSD offers you secure by default, Debian offers
reasonably sane defaults, and a very rapid update cycle. If there
are security updates, they're trivial to apply:
$ apt-get update # update package lists
$ apt-get dist-upgrade -d # download packages
$ apt-get dist-upgrade # install updates
...the first two commands can be cronned to run overnight (as I do,
for three systems, over a 56k dialup).
Bruce Schneier identifies four periods of concern for security
issues:
1. Introduction of vulnerability. It exists, but is unknown.
2. Awareness. It is known, but not necessarially patched.
3. Introduction of fix. A software patch is available.
4. Application of fix. Software patch is widely applied.
What oBSD does is try to minimize factor 1. What Debian does is
address 3 & 4. They're somewhat orthogonal approaches (Debian also
addresses 1 a bit), but both have significant impacts on the
security of *your* system. I find the Debian approach to be more
compelling.
> > OpenBSD is pretty secure; how does Debian compare? Is Woody ready
> > for prime-time yet? (If not, would an upgrade from potato to
> > woody likely cause hiccups?)
Woody's pretty adequate for a desktop. I'd stick with Potato for
production, 'Net-facing, servers.
> > FUNCTIONALITY: We need DNS server packages, ssh (with ssh
> > tunneling available for other services), smtp/pop, web-based
> > scheduling/claendaring/email facilities, HTTP (apache/mod_perl)
> > servers, and so on...
Deb's down wi'dat. Cold.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What part of "Gestalt" don't you understand? Home of the brave
http://gestalt-system.sourceforge.net/ Land of the free
Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire http://kmself.home.netcom.com/resume.html
Attachment:
pgpOZ9RQUA4mX.pgp
Description: PGP signature