LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

December 2020

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS December 2020

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SL7 with security and bug fixes forever - how much work?
From:	Konstantin Olchanski <[log in to unmask]>
Reply To:	Konstantin Olchanski <[log in to unmask]>
Date:	Mon, 14 Dec 2020 11:27:42 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

On Sun, Dec 13, 2020 at 05:36:30PM -0800, Keith Lofstrom wrote:
> New distro releases imply:
> 
> 1) security fixes,
> 2) bug fixes,
> 3) new hardware drivers,
> 4) new applications,
> 5) and changed behavior (ie, Gnome2 to Gnome3).  
> (the list is probably not complete)
> 

I think "SL7 forever" is a good idea.
I think "SL6 forever" is not practical due to lack of c++11,
and el7 will run into same problem eventually (c++14, c++20, etc).

I think in practice, one would want to retrofit el7 machines
to the current-release linux kernel. This is not difficult
to do, as linux kernel backward compatibility is exemplary.
elrepo already provides the required kernel packages, and it is
easy to retrofit them into the el7 installer image. (ask me).

If you go this route, items (3) is fully covered, items (1) and (2)
are covered for kernel security and bugs.

For application side security, you need to scan all open network ports,
and ensure all applications that talk on that port are covered
for security and bug fixes. A partial list would include sshd, httpd,
email server, dhcp client, ntp client, nfs client and server (userland components),
and this brings us to items (4) and (5).

For items (4) and (5), one has to take the current source code
of the applications (and critical system services like httpd),
and "back port" them to el7.

I have done this in the past with mixed success, typical problems
include "cmake is too old", "autoconf/autotools are too old".

Each "xxx too old" problem is solved by rebuilding "xxx" from
current sources, this usually creates a few more "xxx is too old"
dependancies. By the time you run into "glibc is too old" and "gcc is too old",
it is time to give up. (notice how there is no KDE5 for el7!).

All these problems are already solved by "ports" and "homebrew" in the Mac world,
where these tools bring the latest versions of linux software to run on
the antique bsd-ish operating system hidden behind the glamour/glitter of MacOS.

As summary, "SL7 is forever" is possible:

a) retrofit current production release linux kernels (i.e. from elrepo, or build from source)
b) retrofit the "ports" or "homebrew" system from the Mac world.

How much work it takes? Ask elrepo people (linux kernel) and homebrew people.

P.S. RedHat already do "b" with their "software collections", minus the "re-build from source" part.

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV