Hi Bill. I've responded to much of what you written, and snipped the
rest:
On May 18, 2007, at 12:57, Bill Hernandez wrote:
Over time I've installed so many different versions software
(mostly Apache, php, pgsql, and a myriad of dependencies) in the
form of binaries & source installs on my workstation, and on the
servers that after a while I began to feel that I had no clue
what's what, or what was where, a big unruly mix and match...
Over time there have been a number of binaries, some better than
others. At first I tried binaries from marc liyanage, and others,
and the problem for me with the binaries was :
( 1 ) that you were always from moderately behind, to far behind
the current versions.
( 2 ) by their nature there's no choice on where, what options,
versions, etc are installed.
I started with Marc's PHP 4 package too. Maybe a year or two ago he
did in fact start making the selection of some of the modules
configurable through the Mac OS X Installer package. But I switched
away from his packages when he was too busy to provide a PHP 5 package.
Some people put a great deal of effort into creating these
binaries, and for the most part grateful as you were that someone
took the time, they never quite solved the problem.
I began installing from source and found that to be an excercise in
total frustration. If you did a simple
./configure (with maybe a couple of simple options)
./make
./sudo make install
things might install as advertised, but even then you might get
failures because you are missing some dependency, or you don't have
the correct version of openssl, or libxml, or some other such thing
and the install requires a later version. Not to even mention all
the warnings the compiler doles out about unsigned variables, etc.
Sometimes when you get involved in what you feel is going to be a
30 minute deal, and three days later at 3:15 am you've installed a
boat-load of dependent software, you're on the last leg and the
last one just refuses to compile with some cryptic message. You
begin to feel like you're inside a huge snowball rolling down the
mountain totally out of control, and there's a big giant Sequoia at
the bottom, and you just know it's got you name on it. Now you have
all this stuff installed that won't work and the only choice is to
re-format/erase the drive and restore from the latest backup to try
to get back to where you were 72 hours prior. Get that started and
go to bed, and hope the next day you'll feel better...
MacPorts is a great help here, because not only are portfiles already
written, containing a set of configure options that are though to be
useful, but MacPorts also keeps track of what each software package
installed. If you want to just remove one of the software packages
you installed with MacPorts, that's no problem, because it knows what
files came with what ports so it can uninstall them safely. Also, all
(well, most) of MacPorts goes into /opt/local, which means if you get
totally screwed up, you just blast away /opt/local and everything
(well, most of it) is gone, without having affected your OS in any way.
I used to think I was reasonably safe behind the routers/firewalls,
and behind the OSX Server Firewalls until I began reading all the
daily vulnerability reports. In fact since I do this as a hobby
now, I shutdown all the servers the other day, and ordered a new
SonicWall TZ 180 Wireless, which supposedly will allow me to
encrypt all wireless access from my workstation or laptop at home.
This course that my wife took, and the "Sans OnDemand" stuff is
really worth the money. I used to think it would be nice to shell
out the multi-thousand dollars for Cisco, only to find out that it
doesn't matter what you have, it's all vulnerable, whether it's
Cisco, SonicWall, etc. the only hope we have is defense in depth.
For those of us that can write shell scripts, but are not in the
super-guru category, the opportunities that wrong flag or something
to that effect can produce is vulnerability issue is far too real.
When I started doing this, if you were a programmer you could make
really good money. Now that so much of the programming has gone
overseas, and everybody and their brother writes some level
software, a course like this really wakes you up to the realization
that even the average user's computer is in great peril of being
used as a parking source to robots, hackers, worms, trojans, etc.
from which to launch their attacks. I used to think my stuff was
reasonably safe, being OSX based, and after this course I can see
that I've been in the land of OZ.
This is sort of a side issue, but I want to say that I feel
completely safe with Mac OS X. I have used it since Public Beta was
made available 7 years ago, have never had any kind of antivirus
software on it, and have never had any virus or similar malware
appear. I'm still not aware of any that's ever been written for Mac
OS X! Sure, there has been the occasional news article about some Mac
malware, but you have to actively work to get it installed on your
machine, which nobody would do. And there have been a few issues in
Mac OS X that would make it easier for unwanted software to end up on
your machine, but Apple releases security updates to patch these
problems.
The only time I got something unwanted on my machine was when I was
directly connected to the cable modem (I didn't have a router at the
time), and had ssh turned on, and had a testing account on my machine
with username and password "test". Someone figured this out, logged
in, and deposited a little program in my /tmp/ directory and ran it.
But that was easy to spot and nuke, and I shouldn't have been so
silly with my account name and password. And now I have a wireless
router which does not forward any unrequested traffic to my machine.
What a happy life I had before I bought my first TI 16
something_or_other, before the Commodore 64 and the Aplle II
computers. I can truthfully say that have sucked the very life out
of my soul, they were supposed to make life easier, supposed to
help us have more free time, huh ? OS X has made things a lot
better in some respects, and worse in others. We don't suffer
crashes 3 times a day any more, that's good...
At the web site development company I worked for, it was
approximately monthly that we decided we all needed to throw our
computers out the window and open up a hot dog stand instead. We
always seemed to come back to the office the next day though...
Anyway, great as the Mac has been, Apple has done a very poor job
in providing help to upgrade the ancient versions of software that
come with the OS. They install dark age versions of all kinds of
things and never seem to have a path to upgrade any of this stuff.
I see the reason Apple does this though. New major versions of
software frequently break things. Mac OS X 10.4.9 currently has PHP
4.4.4, for example, in /usr/bin/php. PHP 5.2.2 is the currently
recommended version from the PHP group. But if Apple were to silently
upgrade PHP to 5.2.2, some of the user's PHP scripts, which were
written to PHP 4 standards, could break, because some things did
change between PHP 4 and PHP 5. Apple's thought process is probably
that the user bought the product "Mac OS X Tiger" and is now writing
or using other software that works with that product. If Apple
suddenly changes the composition of that product midstream, that's
not good. It's nice for developers to be able to say "My product
works with Mac OS X Tiger" and that's all they need to say, as
opposed to "My product works with Mac OS X Tiger thru 10.4.8, but
10.4.9 broke it so please don't update yet." Then users would be more
wary of installing system updates, and they wouldn't benefit from the
other fixes included in that or subsequent updates.
Rather, Apple seems to have a history of making major updates to
installed packages only at paid update points, at major OS releases,
like the upcoming "Mac OS X Leopard." If someone goes to the trouble
of purchasing this new product and installing it from disc, the user
can expect that they would also need to upgrade other software to
versions compatible with this new OS product. I have a feeling
Leopard will include PHP 5, for example, and maybe even Apache 2.
Apple does update the installed packages more frequently if security
concerns demand it. For example, I believe Tiger used to ship with
PHP 4.3, but 4.4.4 must have addressed some security issues, so it
was delivered in one of the monthly Security Updates.
The user has to resort to things like FINK, etc. which puts stuff
in non-standard locations "/sw".
It's safer, really. This way Fink (in /sw) and MacPorts (in /opt/
local) are completely (mostly) isolated from the rest of the OS.
Makes it much easier to disentangle later. If MacPorts (or you,
manually) were to install on top of things provided by the OS, the OS
might break in mysterious ways. Apple wouldn't be able to help you,
because they never tried to do what you're doing. And other MacPorts
users wouldn't be able to help you, because they don't know what else
you've installed on your machine. Much better when things are cleanly
separated as they are.
In my opinion Apple is in a perfect position to know where
everything, and I mean EVERYTHING (pathwise, and dependency wise)
is located since they shipped it installed. So that even if they
are not going to handle the upgrades from Apache 1.3 on OSX, or
Apache 2.0.52 on OSX Server, or openssl .96d, or php 4.x to the
current versions, they should have some really good instructions on
how to replace and upgrade the existing outdated versions.
Shamefully they don't do anything of the sort...
Perhaps if you are a home user with an iMac or a laptop you can get
by with Apache 1.3, (we're talking 4 or 5 years after Apache 2
became available) but certainly if you are shelling out a bunch of
money for OSX Server, Apple should be more forthcoming. Their
policy seems to be install it and forget. The user won't notice how
ancient this stuff is, and even if they do "We'll just tell them
that's not part of the 90 day support"...
First off, Mac OS X Server has included Apache 2 for many many years.
Granted, it's not the default, and you can't use their pretty GUI to
configure it, but it is there and can be used.
As to the support AppleCare provides, it's not really their job to
help you with UNIXisms. AppleCare's job is to make sure Mom can check
her email and make a photo book to send out at Christmas, Billy can
video chat with his friends to talk about the movie they're going to
make to show off their skateboarding skills, and Dad can make an
impressive Keynote presentation so he can get promoted to Assistant
Manager. And if you've paid $1000 for Mac OS X Server support, then
their job is to help you with server management tasks using Apple
tools. But that's about it. UNIX system administration requires many
more additional skills, which AppleCare representatives do not
receive any training for and are therefore in no position to impart
to you.
It's hard for me to believe that Apple is totally unconcerned with
this problem. In my opinion Apple's lack of interest in maintaining
the software packages they pre-install with the OS up to date is
shameful. I do not think they should be responsible for any user
installed stuff, but they should certainly provide a way to keep
software that comes with the OS up to date, such as the software
previously mentioned...
Apple does keep the OS up-to-date with regular software updates, and
they are very easy to install; just click the Install button.
However, IMHO in order to maintain software compatibility throughout
the life of the OS product, they don't make major changes to the
installed packages until the next major OS release.
Before I install (Apache2, PHP5, PostgreSQL, mySQL) I wanted to
find out if there was a preferred way of doing this ?
It seems like PHP should be last because of the --with APXS2 that
requires a path to Apache, but in this case where MacPorts knows
where everything is going to be installed anyway maybe it doesn'
matter ?
Ports in MacPorts define what other ports they depend on, but the
syntax does not at present allow it to specify what *variants* of
that port would be ideal. So, for example, if you do not yet have
mysql5 installed, and you install php5 +apache2 +mysql5, MacPorts
will install apache2 and mysql5 for you first, but with the default
set of variants. If you want to run a MySQL server, however, you will
want to install mysql5 +server. So it would behoove you to install
mysql5 +server first, then install php5 with the desired variants.
Otherwise you will have to later forcibly uninstall the non-server
mysql5 and then install mysql5 +server.
_______________________________________________
macports-users mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo/macports-users
