[ale] Would you get Redhat Tomcat from Redhat or Apache?
Scott McBrien
smcbrien at gmail.com
Mon Aug 12 13:45:48 EDT 2013
You have to make sure they keep their stuff updated. If there's a vulnerability or sometimes bug in the version redhat ships, they back port the fix from upstream into the older version they maintain. If you go with apache's version, you get to do this.
Where you start to get into problems is with the security compliance folks. The original post said 'Financial Application'. If its for a publicly traded company, now the box is probably now SOX. If its credit card, now its PCI in-scope. The latter requires that all security updates are applied within 30 days of vendor release. If you go with Red Hats tomcat, that's 30 days from when Red Hat releases an update. And, like I said before, because they back port, things will probably be just fine with the update. However, if you roll your own, you either have to do your own back porting (and be able to prove to an auditor that what you're doing is effective and proper) or grab the latest from apache.org because Apache is your 'vendor'. So when they stop maintaining a branch of tomcat, you have 30 days to get your machine using the latest version, complete with all the JVM, obsoleted ABI stuff, and other application things that may mean that your app doesn't work anymore.
If your application is for a non-public company or does not have any other type of security policy like PCI, STIG, HIPA requirements, you can do what you want, but it might not be a bad idea to follow a policy that *might* be appropriate at some time in the future as the only constant is change.
-Scott
On Aug 12, 2013, at 12:59 PM, leam hall <leamhall at gmail.com> wrote:
> Agreed. If there is a use case for compiled, then yee-haa. Otherwise, yum. The ideal is that if the Devs say they "must" have the latest then let them build the RPM for you to install.
>
>
>
> On Mon, Aug 12, 2013 at 12:54 PM, Dennis Ruzeski <denniruz at gmail.com> wrote:
>> They are not crazy but you will be jumping through a bunch of hoops you don't need to. There's only a very few edge cases where you might need to compile-
>>
>> Bottom line-- If you need a feature not in the packaged version, compile your own (I would still package it.)
>>
>>
>>
>>
>> On Mon, Aug 12, 2013 at 12:40 PM, Neal Rhodes <neal at mnopltd.com> wrote:
>>> Trying to get back on A topic which relates to linux....
>>>
>>> If you were charged with putting up a secure internal Web Services framework on RedHat Enterprise Linux 6.4 for a financial application, would you:
>>> "yum install tomcat6"
>>> or,
>>> go to Apache.org, download the sources, compile, and pray.
>>>
>>>
>>> No, this is not a trick question. I've always just used the tested supplied Redhat version which "just works". But there are apparently other opinions, just trying to figure out if they are crazy.
>>>
>>> Neal Rhodes
>>> MNOP Ltd
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>
>
> --
> Mind on a Mission
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130812/373f6dd4/attachment.html>
More information about the Ale
mailing list