[UPDATE AT https://blog.gahooa.com/2009/02/08/update-on-fedora-vs-redhat-enterprise-linux/]
At AppCove, we run RedHat Enterprise Linux on all of our servers. RHEL is great, because:
- It works
- It still works
- Automatic security updates
- Did I mention, it just works?
RedHat, as far as I know, takes a very serious perspective on patching all of their RPM’s and automatically pushing them out via the update agent (up2date). They are very conservative on the versions of packages that they publish. RHEL 4, for example, is still running PHP 4.x. Python 2.3. MySQL 4.x… I believe that they do this to maintain stability and long term support.
However, for a company like AppCove, those versions are simply too old. For years we have hand-compiled about a dozen packages on RHEL 4 in order to be able to take advantage of relevant features in newer software. PHP, Python, MySQL (from mysql.com supplied RPM), python-mysql, git, erlang, memcached, libmcrypt, and others are part of the growing list of software that we have to install manually.
With this growing list comes a growing issue of security updates and maintainability. More complicated packages need more updated libraries, creating a chain-reaction of additional packages. Etc…
Recently I signed up with a “slice” at SliceHost. (SliceHost provides virtualized machines for a great price, with lots of scalability available). I chose Fedora Core 10 for the OS. I must say I have been very impressed.
All of the packages that I have needed were right there, available by yum install. PHP, Python, python-mysql, erlang, memcached, php-memcached, python-memcached, git, etc…, etc…, and did I mention that tree was even there? And it has all “just worked”.
In summary, here are the items that I need to resolve:
- Is fedora considered as “secure” as RHEL? Is there a team dedicated to getting security patches our fast when identified?
- Are continuous upgrades in fedora an issue? Do software packages abruptly get updated without notice? (this has at times been an issue with RHEL).
- Is it possible to run RHEL while also connecting to fedora package repositories to install specific packages? Desirable? Undesirable? Conflicts?
The most secure computer is one that is locked in a vault and turned off. Since that won’t work for most needs, one must find the appropriate balance between functionality and security.
– Regarding item 1 and 2.
Security in general is composed by a objective and subjective part.
The objective part is, of course, related to technical aspects of software, like, using the most recent source code, have a good policy on configuration files, etc.
The subjective part is more related to the ‘security sensation’. People that use Windows(r) tend to thing their system is not secure if them don’t have an anti-virus software installed, and, installing one usually removes this worry (even if the software is a-way outdated).
If we state that an ‘recent software is more secure than an old software’, and we believe the software maintainers do a good job on not breaking a stable system on the updates, what is our ‘insecurity feeling’ based on?
– Regarding item 3, this make have some good info: http://fedoraproject.org/wiki/EPEL/About
Pingback: Update  on Fedora vs Redhat Enterprise Linux « The Gahooa Perspective