Simone Piccardi wrote:
On 05/02/2013 04:08 PM, Quanah Gibson-Mount wrote:
> --On Thursday, May 02, 2013 8:32 AM +0200 Denny Schierz
> <linuxmail(a)4lin.net> wrote:
>> but than you have to download, patch and update security fixes by your
> Yep. Part of being a competent sys admin anyhow.
Sorry, I disagree.
A competent sysadmin has to make choices on how he has to employ his
time. When having limited resources the choice you suggest can be easily
seen as an incompetent wasting of time.
For example when you have to manage > 70 small server for > 70 school,
applying security upgrade by recompiling apache, bind, samba, openldap
(just to cite some of the services on them) every time is plain wrong.
It's a waste of the scarce sysadmin time that could not be afforded.
A competent sysadmin knows how to leverage tools such that 7 servers or 7000
servers requires the same amount of hands-on time. One element of making this
feasible is certainly to have the minimum possible variations in deployed
configurations. But a frozen configuration that you built yourself with known
components is just as viable for this purpose as one you obtained from a
distro. And in most cases, due to distro lag times, a config you build
yourself will be superior.
That's just an example, but there are lot of situations in which
solution to bad distribution packaging cannot be "recompile it by
yourself and reinstall". Better to point to another distribution or to a
good packaging (if they exist). Otherwise every competent sysadmin will
use the packages, also if they are suboptimal.
I'm sorry to hear that Debian OpenLDAP packages are in a such bad state,
but if, as it seems, there no distribution getting OpenLDAP right (I
heard complaints also about RedHat), then I start thinking that
something is not working fine, at least on the user end of OpenLDAP
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/