Inter-WG coordination: Stable application runtimes

Till Maas opensource at till.name
Sun Jan 12 19:58:34 UTC 2014


On Sun, Jan 12, 2014 at 10:39:19AM -0800, Adam Williamson wrote:
> On Sun, 2014-01-12 at 18:55 +0100, Kevin Kofler wrote:

> > So, like Matthew Miller, I think we cannot possibly punt on this issue, but 
> > I totally DISAGREE with his proposed solution of endorsing those bundling 
> > systems officially. Instead, we need to continue packaging things properly.
> 
> Have you looked at what people are installing on Fedora lately? Have you
> looked at how much PHP stuff there is out there vs. what we have
> packaged 'properly'? Java? Ruby? Do you know anyone who deploys
> Wordpress plugins via distribution packages?

Even if people do it, it does not meant that it is the best way to do
it. Mixed packaging makes it a lot harder to properly update in case of
security vulnerabilities. E.g. instead of only checking/ensuring proper
RPM updates one need to check each distribution method for regular
updates. Is there even some tooling available to check/update all e.g.
rbenv or virtualenv setups properly?

Also it appears to me that non-Fedora packaged software is typically
less secure. For example, I heard that the upstream nginx packages are
not protected by ASLR but the Fedora packages are.  Additionally I doubt
that upstream usually considers selinux issues. I guess a lot of people
probably install wordpress with chmod 777 and within a webserver's
document root. Does it meant this is the superior way?

However, if multiple software requires different versions, then this
should be made possible e.g. within RPM or a different central packaging
tool to provide proper version tracking, central updates and uniform
build flags.

Regards
Till


More information about the devel mailing list