3 Apr
2005
3 Apr
'05
12:39 p.m.
Hi,
as Slackware seems to be on the decline, I am currently looking for
alternatives to consider in case Slackware stops existing altogether.
Gentoo comes very close to a lot of my criteria: excellent security
information, excellent documentation, an active community, support for
several processors and a large central software repository featuring not
only the latest version but also older, perhaps more stable versions.
My main concern is the source-based approach. I developed an allergy
towards source-based software installation when compiling KDE 3.2 for
FreeBSD, and I expect Gentoo to be no better in that respect. I know
that a stage-3 install will save me from compiling anything but the
kernel at first, but an upgrade will certainly involve hours of waiting
for make and portage to finish. No more "oh, wait, I'll just install
this program and then we may go on".
So what's the use? It appears that Gentoo is not noticeably faster than
other distros. One advantage of the source-based approach is certainy
the ability to configure each soft, if you wish to, perhaps yielding in
smaller and maybe more secure binaries. But then again, disk space is
cheap and having to have a C compiler on a production machine is not
always a security advantage either.
Hence, my questions:
-1- Does anybody use Gentoo, and what is their experience?
-2- Has anybody really a punchy argument why source-based software
installation is useful?
Regards,
-pu
3 Apr
3 Apr
1:23 p.m.
On Sunday 03 April 2005 14:39, Patrick Useldinger wrote:
Hi,
Hi.
as Slackware seems to be on the decline, I am
currently looking for
alternatives to consider in case Slackware stops existing altogether.
I doubt that slackware will die.
Gentoo comes very close to a lot of my criteria:
excellent security
information, excellent documentation, an active community, support
for several processors and a large central software repository
featuring not only the latest version but also older, perhaps more
stable versions.
My main concern is the source-based approach. I developed an allergy
towards source-based software installation when compiling KDE 3.2 for
FreeBSD, and I expect Gentoo to be no better in that respect. I know
that a stage-3 install will save me from compiling anything but the
kernel at first, but an upgrade will certainly involve hours of
waiting for make and portage to finish. No more "oh, wait, I'll just
install this program and then we may go on".
I think there is also binary package, like bsd have.
So what's the use? It appears that Gentoo is not
noticeably faster
than other distros. One advantage of the source-based approach is
certainy the ability to configure each soft, if you wish to, perhaps
yielding in smaller and maybe more secure binaries. But then again,
disk space is cheap and having to have a C compiler on a production
machine is not always a security advantage either.
Disk space is not the problem, as compiling software take more place
than using binary. And since almost all distro provides a easy way to
install a compiler, not having it is not a so good protection.
However, having the choice of features is interesting. If someone do not
want to have ipv6 for some reason, he can disable, and it may stop some
problem, either security or stability. Or if he really need to have it,
he can enable it, while it would not be as easy on a binary package
distribution when the maintener disable it.
Hence, my questions:
-1- Does anybody use Gentoo, and what is their experience?
Not me :)
I used it on a chroot, just to try. It was nice, but the lack of
granularity ( ie no separation between library and header ), and my
slow harddrive stopped me from keeping it up to date. However, with a
decent computer, I think it may be a nice distro, something different
and interesting.
I do no like webforum, so I guess I would not have been able to immerge
myself in the community, which is one of my main reason of using my
current distro.
-2- Has anybody really a punchy argument why
source-based software
installation is useful?
Because you can choose the precise version of the component you use for
your server.
Right now, if you are using a binary package distro, like Mandrakelinux,
Debian, or Fedora, you need to use the version of the package that the
vendor choosed for you.
For example, no way to use samba3 on woody, except by backporting. And
backport is not a perfect solution when you start to mix them.
Using emerge somehow ease the backporting.
You can have stable software as a fondation, and you can choose to use
more recent versions of some other servers, even if they are not
labeled as production ready by the gentoo community ( ie unmasked ).
A gentoo dev explained to me that unless debian and other distros,
software are not migrated from the unstable branch to the "testing" or
"stable" branch by a automated script, but people first need to do a
report to say "ok, this software works here, I use this and this as
flags". Once enough peoples have validated the version, it is
"unmasked" by the developer, ie labeled as ready for production
( masked packages are like the unstable/developement version of others
distros ).
However, nothing prevent you to install a masked package on your gentoo,
even if no other version are masked ( and if it works, to write a quick
report, and even if it do not work ).
This way, you can test the software one by one, and not the distro as a
whole.
Having a source based distro also mean you can have the package as soon
as the source are avaliable ( and that you finish to compile ), that
may be interesting in order to gain some time when testing a product or
a server ( and it may be also easier to do than compiling by yourself,
since you can always forget a step ).
One thing that is not great is the lack of security backport. A security
update is usually a update to the version where the Changelog say
"security update" and no patching is done on older versions.
I do not think it is good for a production server to have version
updates ( like using debian testing on a critical server ).
Again, this may have changed, I didn't look.
--
Mickaƫl Scherer
On the importance to respond to proposal email :
http://www.nntp.perl.org/group/perl.bootstrap/1127
2:09 p.m.
Michael Scherer wrote:
I doubt that slackware will die.
I hope so. But it is fragile in the sense that it depends on one person
only. And security updates are getting very rare.
I think there is also binary package, like bsd have.
From the handbook: "Portage supports the installation of prebuilt
packages. Even though Gentoo does not provide prebuilt packages by
itself (except for the GRP snapshots) Portage can be made fully aware of
prebuilt packages."
So Gentoo does not do binaries, other people may.
Because you can choose the precise version of the
component you use for
your server.
That is possible with binary packages as well. Especially Slackware
makes that easy, as it does not check dependencies.
Right now, if you are using a binary package distro,
like Mandrakelinux,
Debian, or Fedora, you need to use the version of the package that the
vendor choosed for you.
Having a source based distro also mean you can have
the package as soon
as the source are avaliable ( and that you finish to compile ), that
may be interesting in order to gain some time when testing a product or
a server ( and it may be also easier to do than compiling by yourself,
since you can always forget a step ).
OK, but you can always compile a different version yourself. My question
is rather if it makes sense to ALWAYS compile from source.
-pu
4:30 p.m.
Patrick Useldinger wrote:
OK, but you can always compile a different version
yourself. My question
is rather if it makes sense to ALWAYS compile from source.
I would not compile every library and command tool myself. I would
concentrate on the services the server provides. For example for a
webserver I would simply take apache, PHP, etc from the project's
homepage instead the distro's version and compile it from source. So you
have the exact version of the software you need, you are independent
from distro updates (security related or not). You are able to switch
distros at any time (or even to OSes like *BSD, Solaris, AIX, ...)
without recreating a new Apache config file since you are able to
compile exactly the same version of the software on the target platform
using the same defaults and paths.
I made the experience that if you are using the distro version of
Apache, Postfix, etc. it may not be possible to reuse the config files
unaltered. Paths may be different. But not only that: Many lines are
commented out in the config files, so the software uses "compiled in"
defaults. "Compiled in" defaults are likely to be not the same on
RedHat's or SuSE's version of Apache! Simply coying a config file
(httpd.conf for example) to a new platform is not enough if you use the
distro's package. People on the projet's forum may find it easier to
help you if you have downloaded the source tarball instead of a distro
specific binary package which has been altered to the distro's needs.
Compiling the entire distro and optimizing it for your CPU may even have
a negative impact. The binaries may be faster on your CPU, but often
they are also larger which means that your caches (CPU cache, file
cache, etc) may not be optimally used. It makes sense to recompile the
kernel for your CPU, the main software that defines the function of your
server (webserver, database, mailserver, etc), perhaps the libc library,
but it rarely makes sense to recompile everything.
Greetings, Patrick Kaell
6:07 p.m.
Patrick Kaell wrote:
I would not compile every library and command tool
myself. I would
concentrate on the services the server provides. For example for a
webserver I would simply take apache, PHP, etc from the project's
homepage instead the distro's version and compile it from source. So you
have the exact version of the software you need, you are independent
from distro updates (security related or not). You are able to switch
distros at any time (or even to OSes like *BSD, Solaris, AIX, ...)
without recreating a new Apache config file since you are able to
compile exactly the same version of the software on the target platform
using the same defaults and paths.
Unless you use a distro that only uses pristine sources, like Slackware.
but it rarely makes sense to recompile everything.
Everybody seems to agree on that... ;-)
-pu
4 Apr
4 Apr
9:58 a.m.
So Gentoo does not do binaries, other people may.
Gentoo does proivide binaries... called GRP's, but only for a base-kde install
f.ex. ... they don't provide every existing package in binary
OK, but you can always compile a different version
yourself. My question
is rather if it makes sense to ALWAYS compile from source.
I'm using gentoo since it's first version.
It is what I was always looking for.
So "does it make sense" ?... depends. If you want to have a system that runs
what YOU want, and has dependencies as YOU want it to... then yes, it makes
sense compiling everything from source, and using gentoo.
Gentoo has a perfect dependency management. There are standard dependecies,
and of course you may globaly remove or add some, or per package.
For a desktop system, it might sound annoying to compile everything from
source.
If you don't have any recent system (like a amd athlon xp 1800 or so), it
really is; but still, you can do updates during the night, or when you're at
work or so.
If you run it on servers, there's no problem at all... you have one machine
which does the compiling, and the others upgrade using binary packages from
that machine...
--
regards,
Georges Toth
4:14 p.m.
Georges Toth wrote:
Gentoo does proivide binaries... called GRP's,
but only for a base-kde install
f.ex. ... they don't provide every existing package in binary
Right, it's a kick-start for new installs. But only at each release,
i.e. twice a year.
I'm using gentoo since it's first version.
It is what I was always looking for.
Ah, at last: a Gentoo user ;-)
What I understand from your arguments is that compiling from source is
necessary because Gentoo is a meta-distribution, and that they couldn't
provide binaries for each and every possible situation. This is the
price to pay if you want to assemble a distro yourself.
Am I right in saying so?
-pu
4:22 p.m.
Right, it's a kick-start for new installs. But
only at each release,
i.e. twice a year.
they do new profile-releases quarterly...
What I understand from your arguments is that
compiling from source is
necessary because Gentoo is a meta-distribution, and that they couldn't
provide binaries for each and every possible situation. This is the
price to pay if you want to assemble a distro yourself.
Am I right in saying so?
I don't know for sure, but I think they don't do regular grp updates simply
because they don't have the ressources to do that for every platform.
But, there are many reasons why they don't or shouldn't do grp's more
oftenly...
There have been a lot of discussions regarding that...
The gentoo philosophy is about the right to choose... you define how your
gentoo distro should look like...
But it sure would be possible to share binaries...
I know a lot of gentoo users, we do share binaries...and it's working
great :-)
--
regards,
Georges Toth
4:46 p.m.
Georges Toth wrote:
they do new profile-releases quarterly...
Not anymore: "The 2005.0 release also marks the beginning of a new six
month release cycle for the Gentoo snapshots, up from the previous
marker of three months"
But it sure would be possible to share binaries...
I know a lot of gentoo users, we do share binaries...and it's working
great :-)
Interesting. I'll sure get back to you on that...
-pu
9:01 p.m.
Not anymore: "The 2005.0 release also marks the
beginning of a new six
month release cycle for the Gentoo snapshots, up from the previous
marker of three months"
Oh, I didn't knew that...
but that's not important anyway, because there is no such thing as "gentoo
version X" :-)
--
regards,
Georges Toth
5 Apr
5 Apr
6:14 p.m.
Patrick Useldinger wrote:
Michael Scherer wrote:
Recently, Patrick Volkerding wrote the following remark in his Security
Advisory Changelog:
<quote>
Just a little note on Slackware security -- I believe the state of
Slackware right now is quite secure. I know there have been issues
announced and fixed elsewhere, and I am assessing the reality of them
(to be honest, it seems the level of proof needed to announce a security
hole these days has fallen close to zero -- where are the
proof-of-concept exploits?) It is, as always, my firm intent to keep
Slackware as secure as it can possibly be. I'm still getting back up to
speed (and I do not believe that anything exploitable in real life is
being allowed to slide), but I'm continuing to look over the various
reports and would welcome input at security(a)slackware.com if you feel
anything important has been overlooked and is in need of attention.
Please remember that I do read BugTraq and many other security lists. I
am not asking for duplicates of BugTraq posts unless you have additional
proof or information on the issues, or can explain how an issue affects
your own servers. This will help me to priorite any work that remains
to be done. Thanks in advance for any helpful comments.
</quote>
Greetings, Patrick
I doubt that slackware will die.
I hope so. But it is fragile in the sense that it depends on one person
only. And security updates are getting very rare. 
3 Apr
3 Apr
1:37 p.m.
Hi,
On Sun, 2005-04-03 at 14:39 +0200, Patrick Useldinger wrote:
Hi,
as Slackware seems to be on the decline, I am currently looking for
alternatives to consider in case Slackware stops existing altogether.
Gentoo comes very close to a lot of my criteria: excellent security
information, excellent documentation, an active community, support for
several processors
you mean hardware architectures I presume
and a large central software repository featuring not
only the latest version but also older, perhaps more stable versions.
Debian has this too, although Gentoo gets the newest software more
quickly then Debian (unless you use the right unofficial apt
repositories I guess).
My main concern is the source-based approach. I
developed an allergy
towards source-based software installation when compiling KDE 3.2 for
FreeBSD, and I expect Gentoo to be no better in that respect. I know
that a stage-3 install will save me from compiling anything but the
kernel at first, but an upgrade will certainly involve hours of waiting
for make and portage to finish. No more "oh, wait, I'll just install
this program and then we may go on".
So what's the use?
Nobody knows :)
When you wrote your first Makefile and understood how it works,
you might have had the thought: "wouldn't it be cool if I could
compile my whole distribution like this".
I think Gentoo is the result of someone going ahead and doing it.
It appears that Gentoo is not noticeably faster than
other distros. One advantage of the source-based approach is certainy
the ability to configure each soft, if you wish to, perhaps yielding in
smaller and maybe more secure binaries. But then again, disk space is
cheap and having to have a C compiler on a production machine is not
always a security advantage either.
Hence, my questions:
-1- Does anybody use Gentoo, and what is their experience?
Not me since I think the whole idea is quite ridiculous.
-2- Has anybody really a punchy argument why
source-based software
installation is useful?
It might be useful for example if you want to compile apache
with stack-smashing protection. But then you can do that with
an RPM or DEB based distribution too, it's not difficult.
That's the only positive argument I could come up with :|
(Rant follows)
Some people like the sense of achievement that compiling
/bin/true with "-O3 -leet -superfast!1" gives. But the speed
benefits that can be obtained with such options are mostly in
the 0-5% range, which is below the limit of perception of
ordinary humans. Another fact that is mostly ignored in
speed-related discussions is that for desktop use, the processor
is not the bottleneck, but rather the IO system.
I suspect most perceived speed benefits are due to the placebo
effect.
By the way, Gentoo users are quite unpopular with software
maintainers. This is because they are quite vocal, they often
use dodgy/overclocked hardware and experimental gcc releases, etc.
Then they complain loudly when software fails on their riced-up
systems.
Of course these generalizations don't apply to all Gentoo users -
but a few black sheep quickly give a bad reputation to the whole crowd.
Obligatory related link: http://funroll-loops.org/
Cheers,
Christian Glodt
Regards,
-pu
_______________________________________________
Lilux-help mailing list
Lilux-help(a)lilux.lu
http://lilux.lu/mailman/listinfo/lilux-help
8:08 p.m.
-1- Does anybody use Gentoo, and what is their
experience?
I used it for a while. From my experience, the OS was very well integrated.
I was impressed how everything seemed to be set up for me automagically
whenever I installed a new program. That applied for both the Gnome and KDE
environments. I liked the speed that I got out of the boot process. Gentoo
only instals what you tell it, so you have complete control from the
beginning of what's on your system (same with Debian --- the RPM based
systems can be peared down, but that is post install). Gentoo is also the
absolute best system that I have seen for running a bleeding edge of
technology system. It doesn't have the dependency problems that RPM based
systems all seem to have.
So, why don't I run it now? Well, I found it a complete pain to download and
recompile all of KDE again, just to do a security patch. If they offered the
ability, just to download a source code patch, that might have been enough to
keep me. Case in point, I upgraded to xorg what ever version. It took
several hours to compile. less than a week later, there was an update, so I
had to wait several more hours for it to compile.
Gentoo is also somewhat sloppy (in my opinion) in it's management of software.
Install KDE without X installed, and it can figure out exactly what needs to
be installed to get it working. But remove kde, it only removes the exact
programs that you specify. Good thing if you know what you are doing and
have the time to do all of the hand management, but if you are like me, and
really have no clue how to manage a system, you are left up a creek without a
paddle. I also noticed that my free harddrive space shrank very quickly. I
never figured out what was eating up my disk space (attribute this to
ignorance on my part).
If Gentoo offered a binary repository with reasonable defaults, I would
consider going back. (I'm running Debian now, and find it quite nice,
especially once you've found some of the better unofficial repositories).
-2- Has anybody really a punchy argument why
source-based software
installation is useful?
If you want to learn loads about how Linux works, install Gentoo. I learned
more about Unix using Gentoo for a few months, than I had learned in several
years using SuSE.
Mike
4 Apr
4 Apr
6:03 a.m.
Hi,
On Sun, Apr 03, 2005 at 10:08:37PM +0200, Mike Pressel wrote:
ACK, that way it's at least a match even for Debian. I haven't seen
any package management system on GNU/Linux as good as emerge (yet).
One thing though, if you don't update for a while, the next time
you do emerge, you may encounter some trouble (BTST).
That's most definitely true. I never tried LFS, which might be even
better that way. Others have pointed out other positive effects of
doing source-based installs (at least of certain packages).
For a productive environment, where you have lots of identical
hardware, you can also have one machine for emerging/testing, and
distribute the packages to the production servers. I know of at
least 1-2 companies doing this here in Luxembourg.
Greetings, Eric
-1- Does
anybody use Gentoo, and what is their experience?
I used it for a while. From my experience, the OS was very well integrated.
I was impressed how everything seemed to be set up for me automagically
whenever I installed a new program. That applied for both the Gnome and KDE
environments. I liked the speed that I got out of the boot process. Gentoo
only instals what you tell it, so you have complete control from the
beginning of what's on your system (same with Debian --- the RPM based
systems can be peared down, but that is post install). Gentoo is also the
absolute best system that I have seen for running a bleeding edge of
technology system. It doesn't have the dependency problems that RPM based
systems all seem to have. So, why don't I run it now? Well, I found it a
complete pain to download and
recompile all of KDE again, just to do a security patch. If they offered the
ability, just to download a source code patch, that might have been enough to
keep me. Case in point, I upgraded to xorg what ever version. It took
several hours to compile. less than a week later, there was an update, so I
had to wait several more hours for it to compile.
That's one of the reasons I don't run it right now, say, on my
laptop (which is the only machine anyway having approx. enough
resources to do all the compiling).
Gentoo is also somewhat sloppy (in my opinion) in
it's management of software.
Install KDE without X installed, and it can figure out exactly what needs to
be installed to get it working. But remove kde, it only removes the exact
programs that you specify. Good thing if you know what you are doing and
have the time to do all of the hand management, but if you are like me, and
really have no clue how to manage a system, you are left up a creek without a
paddle.
Exactly how would you have it do this? Install GNOME, replace by KDE,
remove GNOME and have it remove X because it was installed along with
GNOME? IMHO not a good idea. There'd also be programs from GNOME that
you'd want to keep to run from KDE or even pure X (only keep the
libs from GNOME).
I wouldn't know a single distro that'd manage this "correctly" in
your sense.
I also noticed that my free harddrive space shrank
very quickly. I
never figured out what was eating up my disk space (attribute this to
ignorance on my part).
Free harddrive space *always* shrinks quickly to a few percent of
max. capacity ;-) No need to involve Gentoo there ;-)
If Gentoo offered a binary repository with reasonable
defaults, I would
consider going back. (I'm running Debian now, and find it quite nice,
especially once you've found some of the better unofficial repositories).
Hmm... I was under the impression that indeed Gentoo offers binary
repositories.
I do also run Debian (sarge) on my desktops and laptop now, but at
least on the laptop the main reason was my need for a Debian
environment for presenting courses based on Debian, not so much
problems with Gentoo.
-2- Has
anybody really a punchy argument why source-based software
installation is useful?
If you want to learn loads about how Linux works, install Gentoo. I learned
more about Unix using Gentoo for a few months, than I had learned in several
years using SuSE.
11:26 a.m.
Hi Georges,
On Mon, Apr 04, 2005 at 12:09:51PM +0200, Georges Toth wrote:
I don't remember details, at it was a while back (IIRC on the
Sun U30), but it *was* serious trouble - and got me to do a
full reinstall (as opposed to fixing things, which is my
normal way of doing this kind of stuff). Thinking back, it
could have been some sort of circular impossibility with
kernel/gcc/make/whatever versions.
Greets, Eric
One thing
though, if you don't update for a while, the next time
you do emerge, you may encounter some trouble (BTST).
like what? :-)
that you have 100 packages to upgrade or real trouble ?
10:05 a.m.
So, why don't I run it now? Well, I found it a
complete pain to download
and recompile all of KDE again, just to do a security patch. If they
offered the ability, just to download a source code patch, that might have
been enough to keep me.
Well, there is.
But remove kde, it only
removes the exact programs that you specify.
Yes and No.
If you merge package XY, which depends on kdebase, it's normal that kdebase
gets merged as well.
If you unmerge XY, how should portage know that you want to remove kdebase as
well??
There is a option to remove all packages wich aren't depended on by any other
package.
Or you could get a list of packages, filter everything with kde, and remove
those.
Or just use one of the portage-gui's...
--
regards,
Georges Toth
7163
days inactive
7165
days old
16 comments
7 participants
participants (7)
-
Christian Glodt -
Eric Dondelinger -
Georges Toth -
Michael Scherer -
Mike Pressel -
Patrick Kaell -
Patrick Useldinger