5

I manage several BIND DNS servers (on RHEL/Centos) for authoritative lookups (forward and reverse) as well as dedicated caching-only services. I've always just used the latest stable BIND in the package manager, but have wondered whether I should be compiling the latest stable to "do it right". What do others do? Pros and cons to compiling?

S. Cobbs
  • 267
  • 1
  • 2
  • 8
  • 2
    If you don't have a really strong reason to compile your own, then you probably shouldn't. – Zoredache May 11 '11 at 19:38
  • Also see: http://serverfault.com/questions/117388/source-vs-package-managers-on-the-job -- http://serverfault.com/questions/24640/source-based-distros-vs-prebuilt-package-based-distros – Zoredache May 11 '11 at 19:41
  • great links! thanks for taking the time to comment, these were helpful – S. Cobbs May 11 '11 at 20:28

4 Answers4

7

Generally I keep up-to-date using the vendor latest packaged version. In the case of RH (and Centos) although their major release number might not change on a package, they usually backport key and critical patches from the later releases.

To make things easier for me, in the event that I do really want to go to a much later release in a package is to download the vendor source package, get the new version of the software to be compiled, fix the specs package for the package to accommodate the new version. Once the package(s) is generated from running an rpmbuild, I can then rpm --install it. One nice thing about doing it this way is that the final resting spots and configure options are preserved without a lot of hassle.

mdpc
  • 11,698
  • 28
  • 51
  • 65
  • This seems like the most practical solution. Backports take care of major security concerns, and building from source RPMs when more recent versions are required sounds like a manageable route. Now I need to figure out how that works..... – S. Cobbs May 16 '11 at 18:30
4

I use the packages version, ESPECIALLY for internet-facing applications. If you use a major distro like Centos, Red Hat, Ubuntu, or Debian, you will get all the latest security fixes, even if it is not the latest major version number. Security and stability are much more important than having the absolute latest features, especially with something like BIND.

James
  • 819
  • 4
  • 10
3

I'm going to go against the flow on this one. For something that faces the Internet I prefer to use the latest stable version, so I build from source. I don't know about Red Hat but CentOS packages tend to be a fair bit behind the latest versions, which means you may well be installing something that already has known security issues. I just get nervous about that kind of thing.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
  • 4
    RHEL/CentOS has a backporting strategy for fixing security bugs. You'll stay on the same version as when your OS was initially released but they will manage fixing important security bugs and backporting those changes for you. – dmourati May 11 '11 at 22:28
2

Use the packaged versions for anything you can. If you have to deviate, you need to subscribe to the mailing lists and pay attention for any software vulnerabilities so you know when you'll need to patch.

dmourati
  • 24,720
  • 2
  • 40
  • 69