Debian user, seeking advice about Fedora's package management options
Joe Emenaker
joe at emenaker.com
Sun Feb 6 10:26:29 UTC 2005
I've been using Debian for close to a decade now. Having grown up with
it's package management, I've come to expect that kind of capability
from my package management tool.
Now, the company that I'm managing servers for is planning on switching
from in-house boxes (where I can install anything I want and installed
Debian), to one of those server-farm-type deals where we get root access
on a Fedora-Core-2 box that's... in a rack *somewhere*.
My first reaction was to try out a tool that I found that can turn any
Linux box into a Debian one but installing the core Debian package
management tools and then letting it supplant whatever was there to
begin with.
But a pal convinced me that RedHat's package management tools aren't as
bad as they used to be... and that I should consider using it. So...
okay... I'm considering it. As a result, I've got a few questions, which
I'm hoping that someone can address in a balanced (as in, as devoid of
debian/redhat religious bias as possible). This will probably sound like
a RedHat-bashing rant... but it's not. I'm not trying to convert or
convince anybody here of anything. I want to hear what Fedora has going
for it from *Fedora* users, not (exclusively) Debian users. I want to
hear, from people who have concluded that Fedora is perfectly suitable,
why they feel the package management system suits their needs. So...
don't take this personally. Don't feel that you have to defend. I'm just
looking to find out what the various tools do, what they don't do, and
how to make them do what they can do.
On to my story....
In the past, when I've been called into a colleague's office to fix
their hacked-into RedHat box, I've always noted how out-of-date their
pacakges were. They were the original packages that came from the CD a
year or two back. I always tried to fix this by just obtaining newer
versions of the packages over the net. When I tried to get new RPM's
with the fixes, I ran into a few problems. The first problem was that it
was tough finding the *official* patches. Maybe I wasn't looking in the
right place on RedHat's ftp site, but it seemed that I always had to
resort to just searching google for the RPM I needed. This made me
uneasy because... I didn't know the reliability of the person I was
downloading them from. The second problem was that of dependencies.
Inevitably, the newer patched version of, say, Apache, required some
newer libs. So, I'd have to search for a newer version of the library.
Usually, I'd find this at the site of someone *other* that the site I
got the first RPM from. Then, I'd try to install that lib... and it
depended upon another, etc. I wouldn't know if this process was going to
continue one more itteration, or a hundred more.
I'm sure RedHat users have heard this refrain from Debian users before.
I only mention it here because I want to give clear context to the
questions that I ask below:
1 - Of the package tools that are now offered for Fedora (rpm, yum,
up2date, apt?, red-carpet, others?), which ones are able to
automatically get the package from the net? Which ones automatically
also get the dependencies? Which ones who me a list of all of the ones
that are available (like Debian's aptitude or the dreaded dselect)?
2 - I tried up2date once. It seemed like it was headed down the right
track of addressing the issues that I had with RedHat in the past,
regarding automatic downloads from a central source. However, it
*seemed* as though it was merely getting security-patched releases of
selected packages. For example, if I had installed Foo 1.0 and Bar 1.0
with the release CD, and then a new version of Foo (1.1) comes out and a
security-patch for Bar (1.0.1) comes out... it seemed that up2date would
only get the Bar 1.0.1. In short, you're still stuck with the old
versions and their old capabilities, unless there is a security issue or
serious bug that needs fixing. Contrast this with Debian, where I can
point my apt sources.list file to the "unstable" store and I've always
got the latest releases of everything (except major version-number
changes. For example, I had to delibrately de-select Apache and select
Apache2 to move from Apache 1.x to Apache 2.x. But, up to that point,
merely selecting Apache had moved me through Apache 1.1, 1.2, and 1.3 as
they were released).
I guess another way to put it is that... if you had installed RedHat 8,
then running up2date would only ensure that you had a fairly secure
version of the packages (and versions thereof) that originally came with
RH8. On the other hand, with Debian, if I install Debian 2 and run apt
regularly, as Debian 3 is nearing release, my machine would gradually be
picking up the new Debian 3 versions of packages as they passed testing.
On the day Debian 3 was released, the versions of all of the packages on
my machine would, essentially, match those on the release CD of Debian 3.
Was I just imagining that, or is that how up2date really works? Do the
other Fedora management tools work differently? It would be a pain to
have to manually select newer minor version numbers of hundreds of packages.
3 - With Debian, there are oodles of packages available on the official
site and mirrors. Of the several hundred packages I have installed on
our server, I think I've got one or two that come from third-party
"average Joe" sources. On the other hand, from what little I've read
about configuring apt for RedHat thus far (which isn't much, I'll
admit), it seems that there's a much higher occurence of third-party
sources in the apt sources.list files. For those using any of the
automatic-package-and-dependency-download-and-install tools,
approximately what percentage of your packages (especially new versions
of packages) come from NON-official RedHat sources?
Regards,
- Joe
More information about the users
mailing list