Now, the company that I'm managing servers for is planning on switching from in-house boxes (where I can install anything I want and installed Debian), to one of those server-farm-type deals where we get root access on a Fedora-Core-2 box that's... in a rack *somewhere*.
My first reaction was to try out a tool that I found that can turn any Linux box into a Debian one but installing the core Debian package management tools and then letting it supplant whatever was there to begin with.
But a pal convinced me that RedHat's package management tools aren't as bad as they used to be... and that I should consider using it. So... okay... I'm considering it. As a result, I've got a few questions, which I'm hoping that someone can address in a balanced (as in, as devoid of debian/redhat religious bias as possible). This will probably sound like a RedHat-bashing rant... but it's not. I'm not trying to convert or convince anybody here of anything. I want to hear what Fedora has going for it from *Fedora* users, not (exclusively) Debian users. I want to hear, from people who have concluded that Fedora is perfectly suitable, why they feel the package management system suits their needs. So... don't take this personally. Don't feel that you have to defend. I'm just looking to find out what the various tools do, what they don't do, and how to make them do what they can do.
On to my story....
In the past, when I've been called into a colleague's office to fix their hacked-into RedHat box, I've always noted how out-of-date their pacakges were. They were the original packages that came from the CD a year or two back. I always tried to fix this by just obtaining newer versions of the packages over the net. When I tried to get new RPM's with the fixes, I ran into a few problems. The first problem was that it was tough finding the *official* patches. Maybe I wasn't looking in the right place on RedHat's ftp site, but it seemed that I always had to resort to just searching google for the RPM I needed. This made me uneasy because... I didn't know the reliability of the person I was downloading them from. The second problem was that of dependencies. Inevitably, the newer patched version of, say, Apache, required some newer libs. So, I'd have to search for a newer version of the library. Usually, I'd find this at the site of someone *other* that the site I got the first RPM from. Then, I'd try to install that lib... and it depended upon another, etc. I wouldn't know if this process was going to continue one more itteration, or a hundred more.
I'm sure RedHat users have heard this refrain from Debian users before. I only mention it here because I want to give clear context to the questions that I ask below:
1 - Of the package tools that are now offered for Fedora (rpm, yum, up2date, apt?, red-carpet, others?), which ones are able to automatically get the package from the net? Which ones automatically also get the dependencies? Which ones who me a list of all of the ones that are available (like Debian's aptitude or the dreaded dselect)?
2 - I tried up2date once. It seemed like it was headed down the right track of addressing the issues that I had with RedHat in the past, regarding automatic downloads from a central source. However, it *seemed* as though it was merely getting security-patched releases of selected packages. For example, if I had installed Foo 1.0 and Bar 1.0 with the release CD, and then a new version of Foo (1.1) comes out and a security-patch for Bar (1.0.1) comes out... it seemed that up2date would only get the Bar 1.0.1. In short, you're still stuck with the old versions and their old capabilities, unless there is a security issue or serious bug that needs fixing. Contrast this with Debian, where I can point my apt sources.list file to the "unstable" store and I've always got the latest releases of everything (except major version-number changes. For example, I had to delibrately de-select Apache and select Apache2 to move from Apache 1.x to Apache 2.x. But, up to that point, merely selecting Apache had moved me through Apache 1.1, 1.2, and 1.3 as they were released).
I guess another way to put it is that... if you had installed RedHat 8, then running up2date would only ensure that you had a fairly secure version of the packages (and versions thereof) that originally came with RH8. On the other hand, with Debian, if I install Debian 2 and run apt regularly, as Debian 3 is nearing release, my machine would gradually be picking up the new Debian 3 versions of packages as they passed testing. On the day Debian 3 was released, the versions of all of the packages on my machine would, essentially, match those on the release CD of Debian 3.
Was I just imagining that, or is that how up2date really works? Do the other Fedora management tools work differently? It would be a pain to have to manually select newer minor version numbers of hundreds of packages.
3 - With Debian, there are oodles of packages available on the official site and mirrors. Of the several hundred packages I have installed on our server, I think I've got one or two that come from third-party "average Joe" sources. On the other hand, from what little I've read about configuring apt for RedHat thus far (which isn't much, I'll admit), it seems that there's a much higher occurence of third-party sources in the apt sources.list files. For those using any of the automatic-package-and-dependency-download-and-install tools, approximately what percentage of your packages (especially new versions of packages) come from NON-official RedHat sources?
Regards,
- Joe