I've managed to avoid taking part in this thread to date, mostly because enough people have been beating the "FOR THE LOVE OF GOD USE YOUR DISTRIBUTION'S PACKAGES" drum. And I'm not entirely sure this even dignifies a response but hey, why not.
On Mon, 2008-06-02 at 10:06 +0800, jam wrote: > Clarke 1 notwithstanding > http://en.wikipedia.org/wiki/Clarke's_three_laws > > and as an elderly (damn not distinguished) I proclaim your concern/rant > unadulterated balderdash > The one about: if you build your own packages and don't pay attention then > your linux box will contract plague etc. > > Frankly, no one I know, has ever had, or knows someone who has ever had a > compromised linux box. Frankly I doubt if all of SLUG ever has ... > > Here compromised means: someone has taken control of the machine and is > using it for some nepharious purpose eg spam DoS etc Hi. Six. The majority handed to me by potential/new customers or friends with servers that have started acting funny, the others resulting from exploits in both inhouse and third party software. Oh, and one very memorable case of an extremely weak user password. All used for assorted nefarious purposes ranging from hosting IRC servers/bots through to FTP drop boxes and DDoS zombies. Quite a few of those were the direct result of software installed outside of the distribution's package management system, and then never updated, documented, or in some cases even used, again. I don't have any significant issues with choosing to use software that isn't provided by your distribution vendor. But packaging it up properly means you've got an easily reproducible version that you can reinstall when (*not* if) you want to expand or rebuild a dead box. And tracking announce/security lists for said software is now completely mandatory, no matter how much you might cry that these things never happen to you. -- Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
