0

I'm using the cheapest Amazon Lightsail instance to set up an Nginx + Node.js server.

I have compiled Nginx successfully already, however it's taking too long to compile Node.js.

Is this is even a good practice to compile Node.js from source? Should I just use the version from the package manager?

The specs for the Lightsail instance are:

512MB Ram
1 vCPU
20 GB SSD
512 GB Transfer

The first time I tried to compile Node.js, GCC seemed to have run out of memory. I got this error (internal compiler error: Killed (program cc1plus)). I created a swap file to increase the available RAM size, as described here. (dd, mkswap, swapon, add to /etc/fstab)

Now it's compiling, but taking hours to complete. Should I wait for the compilation to finish or install from the package manager?

gregn3
  • 101
  • 1
  • Why would you compile either one? – Michael Hampton Aug 14 '20 at 21:46
  • @MichaelHampton For security and customization. – gregn3 Aug 14 '20 at 21:46
  • Customization, sure, but "security"? Are you even customizing Node.js? – Michael Hampton Aug 14 '20 at 21:49
  • @MichaelHampton Not customizing Node.js currently, just compiling it as a precaution. I expect that to be more secure than using a binary version from a package manager. – gregn3 Aug 14 '20 at 21:51
  • How is that possibly "more secure"? What is your threat model? Why aren't you compiling every package from scratch? – Michael Hampton Aug 14 '20 at 21:52
  • @MichaelHampton OK I'm new to security. From general coding experience I expect a known binary from a package manager to have possibly known vulnerabilities, a version compiled from source may have a slightly lower chance of containing the same vulnerabilities,, even if compiled from the same source. The compilation process can be different. I expect Nginx and Node.js to be the most exposed, so I should try to secure at least these. Yeah I agree compiling everything from source would make more sense. The threat model is, possibly known vulnerabilities in the apps used to serve the content. – gregn3 Aug 14 '20 at 22:05
  • That really doesn't make any sense though. There's not a lower chance of a vulnerability existing in code you compiled yourself as opposed to if the distro maintainers compile it. And they are already patching vulnerabilities and shipping security updates for you. It sounds like you're doing a lot of unnecessary work for no actual benefit. – Michael Hampton Aug 14 '20 at 22:17
  • @MichaelHampton I need to make an effort for security. Just installing from a package manager feels insecure. – gregn3 Aug 14 '20 at 22:24
  • It is not insecure. What you are doing is insecure. You won't keep that up to date. You'll forget, or not want to spend the time on it. Your distro maintainers will keep up. – Michael Hampton Aug 14 '20 at 22:25
  • @MichaelHampton Then I need an automated way to keep it up to date. `There's not a lower chance of a vulnerability existing in code you compiled yourself as opposed to if the distro maintainers compile it.` I could use a different version of a library, for example. Even if I use the same libraries, the environment might be different. (I don't know.) – gregn3 Aug 14 '20 at 22:30
  • 1
    Turn on automatic updates, then. Done. – Michael Hampton Aug 14 '20 at 22:38
  • @MichaelHampton OK, however anything out of the box and automated feels automatically insecure. I need to learn more security. – gregn3 Aug 14 '20 at 22:42
  • Your feelings are absolutely misleading you. I have no idea how you got those impressions, but definitely studying the way things actually work can only help. – Michael Hampton Aug 14 '20 at 23:04

0 Answers0