Hey folks,
It looks to me like the httpd on CentOS is stuck at 2.2.2 - what's up with that? Even after a yum upgrade.
I need 2.2.10 or greater, and would prefer to get it via yum or at very last an RPM if at all possible. But I cannot even find an RPM out there. For some reason both EPEL and Dag Wieers do not even seem to have an httpd RPM for RHEL5
Any idea where to look? Why are we stuck at 2.2.3 which was a 2006 release?
thanks, -Alan
On Fri, Aug 28, 2009 at 10:32 AM, Alan McKayalan.mckay@gmail.com wrote:
Hey folks,
It looks to me like the httpd on CentOS is stuck at 2.2.2 - what's up with that? Even after a yum upgrade.
I need 2.2.10 or greater, and would prefer to get it via yum or at very last an RPM if at all possible. But I cannot even find an RPM out there. For some reason both EPEL and Dag Wieers do not even seem to have an httpd RPM for RHEL5
They both try to not overwrite 'core' packages in the distro without good reason.
Any idea where to look? Why are we stuck at 2.2.3 which was a 2006 release?
Because that's the version that was stabilized and locked into EL5. EL5 was released in early 2007, so it fits. As the distro ages, so does the software.
See http://www.redhat.com/security/updates/backporting/ and http://en.wikipedia.org/wiki/Backporting
Hmmmm, OK, I get it.
I know I can build the latest Apache on CentOS, and what we currently do is put it into /usr/local - which I guess works.
I'd really prefer to have an RPM though.
Certainly the CentOS team as a way in which they produce this RPM. Is this method public? And if so, is it easy to obtain, and run against the latest Apache source code to produce my own RPM?
thanks, -Alan
At Fri, 28 Aug 2009 10:48:51 -0400 CentOS mailing list centos@centos.org wrote:
Hmmmm, OK, I get it.
I know I can build the latest Apache on CentOS, and what we currently do is put it into /usr/local - which I guess works.
I'd really prefer to have an RPM though.
Certainly the CentOS team as a way in which they produce this RPM. Is this method public? And if so, is it easy to obtain, and run against the latest Apache source code to produce my own RPM?
You can do one of these:
1) Grab the *source* RPM from like FC10 (or whatever version of Fedora Core has the httpd version you need).
2) Grab the source RPM for CentOS 5.3 and study the .spec file. Make a new .spec using the desired source tarball from the apache.org site.
In either case, make sure rpm-build is installed and all of the necessary -devel packages and fire up rpmbuild and build your own RPMs.
There exist on the web various resources on what goes in a .spec file and how to run rpmbuild and about building your own RPM files. Google is your friend.
thanks, -Alan
Alan McKay wrote:
Hmmmm, OK, I get it.
I know I can build the latest Apache on CentOS, and what we currently do is put it into /usr/local - which I guess works.
I'd really prefer to have an RPM though.
Certainly the CentOS team as a way in which they produce this RPM. Is this method public? And if so, is it easy to obtain, and run against the latest Apache source code to produce my own RPM?
It is not nearly that easy. The thing you are looking for is called the Source RPM (SRPM).
However, if you are going to rebuild apache, you are going to have to rebuild many other things that link against apache. You will also render unusable all things in the enterprise repos that link against the apache version that is in CentOS.
If you want the latest and greatest applications, you are using the wrong distro. Use Fedora if you want the latest and greatest stuff. CentOS is an Enterprise Distro ... it's whole purpose is the keep the ABIs/APIs is it shipped with for 7 years. This week you will replace apache, next week you will replace mysql, the week after that you'll want a new bind, then the new postfix, etc.
If you want a stable version of linux for 7 years, centos is for you. If you want latest and greatest, it is not.
On Fri, Aug 28, 2009 at 10:48 AM, Alan McKayalan.mckay@gmail.com wrote:
Hmmmm, OK, I get it.
Certainly the CentOS team as a way in which they produce this RPM. Is this method public? And if so, is it easy to obtain, and run against the latest Apache source code to produce my own RPM?
The CentOS method is to rebuild the upstream source rpms, after removing any trademarked items. You could use the httpd which is included in the testing repository.
OK, here is the interesting part :-)
I'm new here as of about 4 months ago, and I just asked some coworkers why we went with 2.2.10 instead of the 2.2.3 that comes with CentOS
Apparently at the time we'd been having some problems with mod_perl crashing (and still are in fact - I'm working on it slowly but surely), and we'd hired an outside consulting company to help out with it. Their first comment was that 2.2.3 was "extremely buggy" and that we should definitely not go with it. So that's what we did. The newest release at the time was 2.2.10 and that's where we are.
There was also so speculation that our DB2 client did not work so well with 2.2.3
Can someone answer me this - I see that today we have 2.2.3 patch level 22 as our most recent release.
Is there a document that will tell me what patch levels were shipped with the different releases of CentOS? In particular 5.2?
Maybe I don't really need > 2.2.3, I dunno. I've seen some other evidence that this outside contracting company did not seem to know as much as they let on. For starters, they did not get very far with our mod_perl problem. I got a lot further in about a week of googling, and I came into it with no knowledge of mod_perl, and no debug-level knowledge of Apache (albeit 7 or 8 years of apache config experience)
thanks, -Alan
On Fri, 28 Aug 2009, Alan McKay wrote:
Is there a document that will tell me what patch levels were shipped with the different releases of CentOS? In particular 5.2?
Two come to mind that we ship with every binary we alter, evey package we build: - one is the SRPM, which contains all sources and patches, etc - two is a summary of varying detail, and carried with every binary under RPM installation (here for the apache webserver, carried in the package: httpd): rpm -q --changelog httpd
The first requires some 'diff' reading skills, but is the most accurate
As to the second method, I see the following recent entries:
* Tue Jul 14 2009 Karanbir Singh kbsingh@centos.org 2.2.3-22.el5.centos.2 - Roll in CentOS Branding
* Mon Jul 06 2009 Joe Orton jorton@redhat.com 2.2.3-22.el5_3.2 - add security fixes for CVE-2009-1890, CVE-2009-1891 (#509782)
* Thu May 07 2009 Joe Orton jorton@redhat.com 2.2.3-22.el5_3.1 - add security fixes for CVE-2008-1678, CVE-2009-1195 (#499284)
* Wed Nov 12 2008 Joe Orton jorton@redhat.com 2.2.3-22.el5 - add security fixes for CVE-2008-2939 (#468841) - note that the mod_proxy 2.2.9 rebase fixed CVE-2008-2634
-------------------------
CVE may be explored down: http://cve.mitre.org/cve/
The values of the form (#NNNNNN) are down: https://bugzilla.redhat.com/
In this case, re-branding is so common as to not pick up a centos bug number, but might and if so would be at: http://bugs.centos.org/main_page.php
-- Russ herrold
At Fri, 28 Aug 2009 12:11:19 -0400 CentOS mailing list centos@centos.org wrote:
OK, here is the interesting part :-)
I'm new here as of about 4 months ago, and I just asked some coworkers why we went with 2.2.10 instead of the 2.2.3 that comes with CentOS
Apparently at the time we'd been having some problems with mod_perl crashing (and still are in fact - I'm working on it slowly but surely), and we'd hired an outside consulting company to help out with it. Their first comment was that 2.2.3 was "extremely buggy" and that we should definitely not go with it. So that's what we did. The newest release at the time was 2.2.10 and that's where we are.
There was also so speculation that our DB2 client did not work so well with 2.2.3
Can someone answer me this - I see that today we have 2.2.3 patch level 22 as our most recent release.
Is there a document that will tell me what patch levels were shipped with the different releases of CentOS? In particular 5.2?
rpm -q --changelog httpd
Maybe I don't really need > 2.2.3, I dunno. I've seen some other evidence that this outside contracting company did not seem to know as much as they let on. For starters, they did not get very far with our mod_perl problem. I got a lot further in about a week of googling, and I came into it with no knowledge of mod_perl, and no debug-level knowledge of Apache (albeit 7 or 8 years of apache config experience)
Hmmm... It sounds like you were scamed on some level...
thanks, -Alan
On Fri, Aug 28, 2009 at 7:51 PM, Robert Hellerheller@deepsoft.com wrote:
At Fri, 28 Aug 2009 12:11:19 -0400 CentOS mailing list centos@centos.org wrote:
OK, here is the interesting part :-)
I'm new here as of about 4 months ago, and I just asked some coworkers why we went with 2.2.10 instead of the 2.2.3 that comes with CentOS
Apparently at the time we'd been having some problems with mod_perl crashing (and still are in fact - I'm working on it slowly but surely), and we'd hired an outside consulting company to help out with it. Their first comment was that 2.2.3 was "extremely buggy" and that we should definitely not go with it. So that's what we did. The newest release at the time was 2.2.10 and that's where we are.
There was also so speculation that our DB2 client did not work so well with 2.2.3
Can someone answer me this - I see that today we have 2.2.3 patch level 22 as our most recent release.
Is there a document that will tell me what patch levels were shipped with the different releases of CentOS? In particular 5.2?
rpm -q --changelog httpd
Maybe I don't really need > 2.2.3, I dunno. I've seen some other evidence that this outside contracting company did not seem to know as much as they let on. For starters, they did not get very far with our mod_perl problem. I got a lot further in about a week of googling, and I came into it with no knowledge of mod_perl, and no debug-level knowledge of Apache (albeit 7 or 8 years of apache config experience)
Hmmm... It sounds like you were scamed on some level...
Yes. There are consultants who can walk on water and there are others who bill the same hourly rate (or more) and don't have a clue.
Something previous posters haven't mentioned is the rule here is "if you break it, you fix it". If you want support here, stay with what the distro developers recommend. You will get outstanding support here, for packages in the distro. The goals of an enterprise distro are security, stability and long life.
Alan McKay schrieb:
OK, here is the interesting part :-)
I'm new here as of about 4 months ago, and I just asked some coworkers why we went with 2.2.10 instead of the 2.2.3 that comes with CentOS
Apparently at the time we'd been having some problems with mod_perl crashing (and still are in fact - I'm working on it slowly but surely), and we'd hired an outside consulting company to help out with it. Their first comment was that 2.2.3 was "extremely buggy" and that we should definitely not go with it. So that's what we did. The newest release at the time was 2.2.10 and that's where we are.
And the problem you have is that you still stick with release 2.2.10 - regardless of any security issue. Nobody has cared to update.
Check yourself
http://apache.mirror.clusters.cc/httpd/CHANGES_2.2
for occurances of "SECURITY" and CVE numbers since the release of 2.2.10.
If you really run 2.2.10 since the days of those glorious consultants you webserver has several security holes.
Going with what CentOS ships, even if the package number indicates an older release, you have the advantage that the upstream takes care for security fixes by backporting.
[ ... ]
thanks, -Alan
Best regards
Alexander
Going with what CentOS ships, even if the package number indicates an older release, you have the advantage that the upstream takes care for security fixes by backporting.
Hmmm, I hadn't considered this but you are absolutely right!
Hmmmm, OK, I get it.
I know I can build the latest Apache on CentOS, and what we currently do is put it into /usr/local - which I guess works.
I'd really prefer to have an RPM though.
Certainly the CentOS team as a way in which they produce this RPM. Is this method public? And if so, is it easy to obtain, and run against the latest Apache source code to produce my own RPM?
there is the redhat webstack (rhwas) code base to use. it has newer http, php, mysql, postgres, etc. i have grabbed those srpms from ftp.redhat.com and built my own repo. centos has a testing repo that is doing the same kind of thing, but has been a bit spotty with keeping up with changes from upstream. maybe that has cleared up now, but since i put the effort into my own repo, i haven't kept tabs. kbsingh has talked about making a sub repo just for the webstack code, but i don't think that has ever happened.
Joe Pruett wrote:
Hmmmm, OK, I get it.
I know I can build the latest Apache on CentOS, and what we currently do is put it into /usr/local - which I guess works.
I'd really prefer to have an RPM though.
Certainly the CentOS team as a way in which they produce this RPM. Is this method public? And if so, is it easy to obtain, and run against the latest Apache source code to produce my own RPM?
there is the redhat webstack (rhwas) code base to use. it has newer http, php, mysql, postgres, etc. i have grabbed those srpms from ftp.redhat.com and built my own repo. centos has a testing repo that is doing the same kind of thing, but has been a bit spotty with keeping up with changes from upstream. maybe that has cleared up now, but since i put the effort into my own repo, i haven't kept tabs. kbsingh has talked about making a sub repo just for the webstack code, but i don't think that has ever happened. _______________________________________________
The RHWAS for c4 is released, the one for c5 is not released yet.
Hi,
On Fri, Aug 28, 2009 at 10:32, Alan McKayalan.mckay@gmail.com wrote:
It looks to me like the httpd on CentOS is stuck at 2.2.2 - what's up with that? Even after a yum upgrade.
As Jim suggested, please read this: http://www.redhat.com/security/updates/backporting/
The whole point of using an "Enterprise" distribution is to have components that are guaranteed to work together. You will receive updates that will fix critical bugs and mainly security issues, but on the other hand, you accept to use software that does not have all the latest features and bells and whistles.
If you want cutting-edge, CentOS is not for you.
Although you can get the latest Apache and shoehorn it into CentOS, that defeats the whole point of using CentOS in the first place...
If you really need something more recent, I would advise you to look into Fedora or Ubuntu. On the other hand, with those you will need to do a full distribution upgrade every six months, as opposed to CentOS/RHEL where a major version is supported and will receive security updates for many years after its initial release.
HTH, Filipe
-
Alan McKay -
Alexander Dalloz -
Filipe Brandenburger -
Jim Perrin -
Joe Pruett -
Johnny Hughes -
Lanny Marcus -
R P Herrold -
Robert Heller