On Jun 22, 2006, at 4:27 PM, Steve Holdoway wrote:
Given the tools that you run are all client facing and prime targets,
I'd build everything from scratch, as bleeding edge as I dare.
Really? Why would you want to do that?
IMHO, the *most* important aspect of client-facing software is
stability, not bleeding-edge features. If you're following a
development branch, in order to get security fixed you have to accept
API changes, which introduce instabilities.
A recent example of that would be PHP - v5.1.3 was a very large bugfix
update addressing many resource issues that could be effective DoS
targets. That's 120 different bug fixes to evaluate. It totally and
utterly broke HTTP POST, and v5.1.4 was issued two days later. Easy to
avoid, because you don't upgrade on the day something is released, eh?
Unfortunately, you might not notice that v5.1.3 also dropped some API
calls ... without which your application might stop working :-) but not
all the time, otherwise you would notice right away ...
Stick with Debian (or Ubuntu, or whoever else has a reactive security
team), and your version of PHP5 would have all the security bugs fixed,
*without* forcing a version upgrade with attendant API changes.
Sometimes this means that your developer has to eschew the latest
assistance features from the language/framework/platform of choice, and
actually write something themself :-)
-jim
