Richard Freeman on 16 Jan 2010 03:50:24 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse

On 01/15/2010 10:21 PM, brent timothy saner wrote:
> On 01/15/10 09:48, Andrew Tsen wrote:
>> I m contemplating on starting to use tar balls and compile and
>> re-do the whole LAMP setup instead of using apt, etc.
> (cough,cough)try gentoo(cough, cough) most of the stable branch is
> latest stable release right from the project.

I'm not sure I'd go quite that far - Gentoo stable tends to be a little 
behind upstream stable releases (for good reason - all mainstream 
distros do this), except where security releases are concerned. 
Typically security issues are handled by version upgrades, but backports 
aren't unheard of - especially if upstream makes them available as 
releases or if the new release has serious issues.

Gentoo in a production environment is done, but you need to consider a 
number of things before going that route.  Still, if you're thinking 
about micro-managing your LAMP setup and building it all yourself 
anyway, then it is probably a no-brainer.  None of the downsides of 
Gentoo really apply to you in that case and you might as well at least 
benefit from the automation.

At the last PLUG North I got a lot of questions around Gentoo in 
production so I added a few slides to the end of my Feb 9th 
presentation.  To be honest this specific sub-topic could easily fill a 
1 hour presentation on its own, so I can really only summarize a few of 
the pros/cons to give everybody a feel for it.

Slides will go out to the list and if feedback is strong I'll probably 
offer to give the talk at the other venues.

I think the fundamental problem is that software version numbers are 
useful to track but they don't definitively indicate whether software is 
vulnerable.  When I run rkhunter on my stable Gentoo box I always get 
flagged for a few software version numbers, but something more serious 
like OpenVAS gives me passing grades and the Gentoo tools for auditing 
against security bugs indicate I'm fine as well.

All that said, distros that don't have serious revenue streams aren't 
generally going to certify themselves against any external compliance 
standards body.  It is just way to expensive to do that.  Most will 
follow something resembling best-practices regarding security releases. 
  If you really need somebody you can sue if something goes wrong you're 
going to have to stick with the big players.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --