On Sat, 2005-09-10 at 14:29 -0500, John Jolet wrote: > We're in the process of transitioning from 32-bit Redhat (7 I think) web/app > servers to 64-bit gentoo web/app servers. One concern I've got is from a > security standpoint, normally you don't deploy webservers with development > tools on them. How do you guys handle this question with internet-facing > production servers? > > One thought I had was to set up a build server, build the binaries on this > server, and do an emerge of the binaries FROM this server to the production > servers, with gcc and such removed from them. Will this work?
Yes. >From emerge(1): --buildpkg (-b) Tells emerge to build binary packages for all ebuilds processed in addition to actually merging the packages. Useful for main- tainers or if you administrate multiple Gentoo Linux systems (build once, emerge tbz2s everywhere). The package will be cre- ated in the ${PKGDIR}/All directory. An alternative for already-merged packages is to use quickpkg which creates a tbz2 from the live filesystem. I would recommend building packages on a build server with --buildpkg, installing them on a testing server, and once tested re-packaging them with quickpkg on the testing server to install on the production servers. (The advantage of quickpkg is it picks up changes to configuration files.) Of course, you could combine the build and testing servers onto one machine. HTH. -- gentoo-user@gentoo.org mailing list