Debian user, seeking advice about Fedora's package management options

[Joe Emenaker]

I've been using Debian for close to a decade now. Having grown up with 
it's package management, I've come to expect that kind of capability 
from my package management tool.

Now, the company that I'm managing servers for is planning on switching 
from in-house boxes (where I can install anything I want and installed 
Debian), to one of those server-farm-type deals where we get root access 
on a Fedora-Core-2 box that's... in a rack *somewhere*.

My first reaction was to try out a tool that I found that can turn any 
Linux box into a Debian one but installing the core Debian package 
management tools and then letting it supplant whatever was there to 
begin with.

But a pal convinced me that RedHat's package management tools aren't as 
bad as they used to be... and that I should consider using it. So... 
okay... I'm considering it. As a result, I've got a few questions, which 
I'm hoping that someone can address in a balanced (as in, as devoid of 
debian/redhat religious bias as possible). This will probably sound like 
a RedHat-bashing rant... but it's not. I'm not trying to convert or 
convince anybody here of anything. I want to hear what Fedora has going 
for it from *Fedora* users, not (exclusively) Debian users. I want to 
hear, from people who have concluded that Fedora is perfectly suitable, 
why they feel the package management system suits their needs. So... 
don't take this personally. Don't feel that you have to defend. I'm just 
looking to find out what the various tools do, what they don't do, and 
how to make them do what they can do.

On to my story....

In the past, when I've been called into a colleague's office to fix 
their hacked-into RedHat box, I've always noted how out-of-date their 
pacakges were. They were the original packages that came from the CD a 
year or two back. I always tried to fix this by just obtaining newer 
versions of the packages over the net. When I tried to get new RPM's 
with the fixes, I ran into a few problems. The first problem was that it 
was tough finding the *official* patches. Maybe I wasn't looking in the 
right place on RedHat's ftp site, but it seemed that I always had to 
resort to just searching google for the RPM I needed. This made me 
uneasy because... I didn't know the reliability of the person I was 
downloading them from. The second problem was that of dependencies. 
Inevitably, the newer patched version of, say, Apache, required some 
newer libs. So, I'd have to search for a newer version of the library. 
Usually, I'd find this at the site of someone *other* that the site I 
got the first RPM from. Then, I'd try to install that lib... and it 
depended upon another, etc. I wouldn't know if this process was going to 
continue one more itteration, or a hundred more.

I'm sure RedHat users have heard this refrain from Debian users before. 
I only mention it here because I want to give clear context to the 
questions that I ask below:

1 - Of the package tools that are now offered for Fedora (rpm, yum, 
up2date, apt?, red-carpet, others?), which ones are able to 
automatically get the package from the net? Which ones automatically 
also get the dependencies? Which ones who me a list of all of the ones 
that are available (like Debian's aptitude or the dreaded dselect)?

2 - I tried up2date once. It seemed like it was headed down the right 
track of addressing the issues that I had with RedHat in the past, 
regarding automatic downloads from a central source. However, it 
*seemed* as though it was merely getting security-patched releases of 
selected packages. For example, if I had installed Foo 1.0 and Bar 1.0 
with the release CD, and then a new version of Foo (1.1) comes out and a 
security-patch for Bar (1.0.1) comes out... it seemed that up2date would 
only get the Bar 1.0.1. In short, you're still stuck with the old 
versions and their old capabilities, unless there is a security issue or 
serious bug that needs fixing. Contrast this with Debian, where I can 
point my apt sources.list file to the "unstable" store and I've always 
got the latest releases of everything (except major version-number 
changes. For example, I had to delibrately de-select Apache and select 
Apache2 to move from Apache 1.x to Apache 2.x. But, up to that point, 
merely selecting Apache had moved me through Apache 1.1, 1.2, and 1.3 as 
they were released).

I guess another way to put it is that... if you had installed RedHat 8, 
then running up2date would only ensure that you had a fairly secure 
version of the packages (and versions thereof) that originally came with 
RH8. On the other hand, with Debian, if I install Debian 2 and run apt 
regularly, as Debian 3 is nearing release, my machine would gradually be 
picking up the new Debian 3 versions of packages as they passed testing. 
On the day Debian 3 was released, the versions of all of the packages on 
my machine would, essentially, match those on the release CD of Debian 3.

Was I just imagining that, or is that how up2date really works? Do the 
other Fedora management tools work differently? It would be a pain to 
have to manually select newer minor version numbers of hundreds of packages.

3 - With Debian, there are oodles of packages available on the official 
site and mirrors. Of the several hundred packages I have installed on 
our server, I think I've got one or two that come from third-party 
"average Joe" sources. On the other hand, from what little I've read 
about configuring apt for RedHat thus far (which isn't much, I'll 
admit), it seems that there's a much higher occurence of third-party 
sources in the apt sources.list files. For those using any of the 
automatic-package-and-dependency-download-and-install tools, 
approximately what percentage of your packages (especially new versions 
of packages) come from NON-official RedHat sources?

Regards,

- Joe