12

Webtatic repository has lots of useful packages for CentOS and RedHat. However the repository is very opaque and I have hard time to find information of who is behind it, appart of "Andrew Thompson", known as Andy around here.

He seems to be doing a great job providing all these useful packages. I need to use the repository on live company servers and using unofficial repositories triggers immediately an alarm in me.

  • Is it a single person repository?
  • Is it backed by a company?
  • It seems to exist for for few years now, but what about tomorrow? (apart of the giant asteroid that can wipe us all)
  • How secure is it? I don't want next yum update to download a trojan.
  • How quickly are the security fixes deployed of provided packages? ....

Feedback from real life CentOS/RedHat administrators will be greatly appreciated.

Thanks in advance

chicks
  • 3,639
  • 10
  • 26
  • 36
Niki
  • 221
  • 2
  • 4
  • 1
    I would note that there are at least two very different levels of trust: as a developer, I care mainly if the packages are clean (not altered maliciously) and reasonably up-to-date. It is as a sysadmin that I care enormously about long term support, and longevity of the maintainers. – jhominal Apr 05 '17 at 17:35
  • Correct. Here I ask as sysadmin, changing server OS/teach only every 5 or more years – Niki Apr 05 '17 at 21:51
  • Both as a system admin and developer it's important to use decent sources of builds. Otherwise you'll risk having problems such as bad builds causing bugs or limitations in feature sets, etc. A bad source might be distributing packages without things like -O2 and you'll be totalyl clueless as to it. – jgmjgm Apr 16 '19 at 15:57

4 Answers4

5

Back when I first started as a Linux admin 8 years ago I used to use a popular third party repository to upgrade my LAMP stack. It was run by a single individual. One of the primary reasons was developers pressuring me for a newer version of PHP than what came with RHEL 5. It ended up biting me.

The person abandoned the repositories so I was no longer getting security updates, but I also could not remove all the newer packages and go back to the RHEL packages due to the RHEL version of PHP being from too old a branch. Moving to that repository's LAMP stack touched at-least half a dozen packages or more. So, maintaining those packages and recompiling them all by hand from time to time would be a major PITA.

You also lose the ability to use the OS vendor's security advisories regarding CVE vulnerabilities to determine whether your system is or is not vulnerable to a certain exploit for those packages. This proved to be a major problem for me years later, even though I would have never anticipated at the time.

So, in addition to having trust in the maintainers integrity and technical skills, you have to ask yourself whether you trust them not to move on to a new job that wont allow them to maintain the repository, or get married and have kids and no longer have time, etc....

Since then I have been very skittish about using any third party repositories, especially those that only have one person running them.

Community
  • 1
digitaladdictions
  • 1,465
  • 1
  • 11
  • 29
  • Thanks! These are all the questions I am already asking my self, however your experience is partially an answer to my main question. Now I just hope can get some more specific feedback about Webtatic repo in particular, otherwise I think will follow your advise, which is also my gut feeling and what I always did until now. (Like you, its about PHP version...) – Niki Apr 04 '16 at 19:03
4

The question is not if we trust Andy, it is if you trust Andy.

I'm not familiar with the repository but the donation button suggests a personal effort. Feel free to contribute if it has value to you.

Packages look to be GnuPG signed, so it is possible to verify with some certainty the packages are authentic. You can also check if he is on the web of trust.

Regarding quality or security, its best if someone else has a look at how the repository is doing. This could be you. Subscribe to the upstream security advisories and check if they are affected. Evaluate the packages as a reviewer would for Fedora.

If continuity of these packages is important to you, acquire similar skills. Learn packaging or hire someone who can.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
1

Remi is the standard for latest builds of PHP for RHEL. He is a long established and reliable source for RPM packages that's being actively maintained and includes as many relevant packages as possible.

The webtatic source is unknown and untrusted. It shouldn't be used at all.

I found it running on a legacy system. It had a serious memory leak in it. I replaced it with Remi, exactly the same PHP version and suddenly everything's running smoothly. I don't think it's even a stable compile.

jgmjgm
  • 151
  • 3
0

In general, unless you know there's a feature you actually seriously need and actually can't live without (as many people will believe they can't .. until it's a choice between 'old' or nothing) then stick with the vendor packages.

Teach your webdevs why a branch isn't a stagnant snapshot, and show them - PHP is a great one for this - how upstream rebasing brings in far more bugs; and how in many cases the response time for a backport around a security issue is actually faster and more reliably delivered by a distro in their maintained branch (because it's someone's priority and job) than in the upstream OEM version.

You may be the one who actually succeeds, and you owe it to the rest of us to try ;-)

user2066657
  • 336
  • 2
  • 13
  • PHP is a pretty poor example for this: We almost always need point releases for bugfixes, but the distros do not provide them. They have good reason, of course. But having the repos available where we can get bugfixes in point releases is extremely helpful. – Michael Hampton Aug 03 '18 at 15:02
  • We use different distros, I suspect. I haven't seen a lack of bugfix and security updates in PHP, even though the distro has branched at a certain upstream version and the version appears locked to the layman. rpm -q php --changelog shows weekly updates with bugfixes and security updates aplenty. I'm sorry if you're not getting the same mileage :-( – user2066657 Aug 03 '18 at 15:41
  • Definitely different distros. I don't see that in PHP on RHEL 7.5 or CentOS 7.5. Fedora has updated PHP packages though, and generally doesn't have this problem. Fortunately Remi Collet, the Red Hat employee who builds RHEL's PHP packages, also maintains repos with PHP point releases. Which is part of the reason Red Hat hired him. – Michael Hampton Aug 03 '18 at 15:49
  • Hmm. I was looking at the RH/Centos ones. I can't explain why you're not seeing the same --changelog I am, and I'm sorry to see it. I wish Remi would update SCL a bit more. I'm seeing slowdowns there (7.1.8 and not even a package release to update). I was actually mostly convinced he'd moved on, this morning. If only Fedora wasn't a mayfly. – user2066657 Aug 03 '18 at 20:53
  • Really? I don't know what packages you are looking at but I see no updates since php-5.4.16-45.el7. Maybe you're looking at something from a software collection? Speaking of which, SCLs are on a bit slower pace. If you actually want PHP releases as they happen, hit up https://rpms.remirepo.net/ – Michael Hampton Aug 03 '18 at 20:56
  • We can't use Remi's in-house. Same hands, different SLO. The alternatives are bleak. You may have to remind me what fixes the 5.4.16-45 is missing, so I can tell stagnant from mature. – user2066657 Aug 03 '18 at 21:04
  • The last changelog is * Tue Jan 23 2018 Remi Collet - 5.4.16-45 - gd: fix buffer over-read into uninitialized memory CVE-2017-7890 Fortunately for me and my clients, I control which repos get used for sites I manage. :) – Michael Hampton Aug 03 '18 at 21:28