[Mongrel] The Debian Plan - reloaded

Jens Kraemer kraemer at webit.de
Fri Jan 12 12:43:16 EST 2007


On Fri, Jan 12, 2007 at 09:09:33AM -0700, Kyle Kochis wrote:
> Jens,
> Good point, at least on the first two paragraphs but I must
> respectfully (yet enthusiastically) disagree on the last point:
> 
> > Besides that, it's just a waste of resources to compile anything on
> > *each* production machine in case of an upgrade. Your average web server
> > shouldn't even need to have a compiler installed, imho. I've never heard
> > of someone compiling tomcat or java on a live machine...
> 
> As a user of Debian (it is my preferred Linux Distro although I am
> starting to shift towards the BSD's), it is a pain in the butt to use
> Ruby1.8.2 or 1.6 and get everything like gems and rails working
> properly. Take a look at
> http://mongrel.rubyforge.org/docs/debian-sarge.html and
> http://lists.rubyonrails.org/pipermail/rails/2006-May/037763.html. The
> issue mentioned in both of these articles are VERY easy to avoid:
> curl, tar, cd ./configure make and finally make install. 

I don't really want to warm up that old 'Debian+Ruby sucks' discussion,
however I can't resist to comment on these 'issues'.

It's a known fact that a stable Debian lags somewhat behind the rest of
the world in terms of software versions, so if you pick it you have to
take that into account and be prepared to backport something if you want
to live on the edge *and* stay on the Debian way of managing your
software. I know, not everybody is in the position to pick *his* distro
every time, and yes, Debian can give people a hard time in the
beginning. 

For the issues mentioned in the Mail you link to - the real bug here is
with rubygems which doesn't fail if compiling a c extension fails, but
happily ignores the error. So people think Mongrel installed correctly
and blame Debian for it not working. If you saw the real error at gem
install time, everybody could guess he needs a compiler and ruby-dev to 
compile things.

[..]

> One last point: Like any debian guy, I care about security and want to
> have the latest patches and regularly do apt-get update and upgrade.
> But because I manage a few high traffic sites that use ruby I also
> must have plan if one (or more) of the sites get exploited because of
> a new found security issue in ruby (or anything else for that matter).
> Perhaps there are no new versions out that address this issue but
> after some searching I find the root of the problem and make a patch.
> So I use that patch to compile a secure version of that once exploited
> software.

you have some good points here and I really agree with you on the
security patch thing. 

In fact, that's why I initially started maintaining my own set of
ruby/mongrel debian packages. The point is I do this on one machine that
is *not* a production system, and then just do an apt-get upgrade on the
live servers. 

Having Mongrel officially in debian is just one step further, and makes
it way easier to get started with maintaining your own mongrel packages.

Maybe that's only me, but I really prefer to do the whole patch-and-
compile-part of the story only once. I take care for three and a half
servers running Rails apps on Mongrel. That's not much but even then I
have better things to do than e.g. to manually patch and install Ruby 4
times when the next cgi.rb security leak arises.

Imho, that's DRY applied to systems administration :-)


cheers,
Jens


-- 
webit! Gesellschaft für neue Medien mbH          www.webit.de
Dipl.-Wirtschaftsingenieur Jens Krämer       kraemer at webit.de
Schnorrstraße 76                         Tel +49 351 46766  0
D-01069 Dresden                          Fax +49 351 46766 66


More information about the Mongrel-users mailing list