[Klug-general] Re: Apache, PHP and MySQL security

J D Freeman klug at quixotic.org.uk
Sat Jan 6 16:09:32 GMT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Jan 06, 2007 at 03:01:40PM +0000, Matthew Macdonald-Wallace wrote:
> > if you are worried about security and compatibility then why not use a
> > mainstream distro like suse?
> 
> I've been using Gentoo for the last five or so years and have recently
> switched to Ubuntu to see what the fuss is all about (!) - I don't want
> to loose my knowledge of compiling from source, and I also believe that
> software cannot be trusted to run the way you want it to unless you have
> set the compile and performance flags yourself. Unfortunately, I don't
> know enough about which flags to set when compiling for security, hence
> the original post.
> 
> I am aware that I could just set gentoo to install hardend versions of
> everything, however I wouldn't learn as much that way!

Or alternatively when you trust the person who compiled it. Personally I
think life is to short, and old hardware to cheap to screw around
compiling every little thing from scratch (having watched a friend
compile OO for over 2 weeks). I have met alot of the debian developers,
and I trust their judgements. Not only that, but I trust them in the way
they trust new people to join the debian project. The good ole web of
trust.

SUSE and Redhat on the other hand, I do not trust, as I do not beleive
they have the same level of paranoir in their compiling. They also push
the releases to oftern IMHO. And yes, I do consider the fact debian
takes bloody ages to release a new stable a feature, not a bug. 

But yes, consider if compiling stuff from scratch really is a good plan. 

Oh, and to answer the previous question on apache version, I swear by
apache 1.3.33 (the one in debian testing/stable). Simply for the fact it
is stable, and works. It has a very proven performance record, and
simply gets security fixes, no "fixing" of features (as I have had with
other apps).

As for PHP and MySQL. If you want secure, don't use PHP. The very
paradigm behind it fails miserably to even come close to the concept of
secure. Not only this but it not only encourages, but makes it almost
mandatory to write poor quality unmaintainable code. And as for the
performance. Yuck. Consider Python as an alternative, or better yet, ask
youself if you really need that dynamic back end to your page, I would
say most sites that use PHP would be simpler for all if they just ran on
a static html page, or maybe a server side include.

MySQL, personally I don't get on with it very well, and I much prefer
postgres. There is all sorts of reports of postgres being better
performance wise, more secure etc... But I must admint, I choose it cos
I prefer it, a question of Taste, rather than any real justification.

Finally, I am reminded of one of the Ubuntu developers describing the
LAMP stack at FOSDEM last year:

L - linux
A - Apache
M - Most of our scripting languages begin with P
P - and Postgresql 

:p

J
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFFn8on42M0lILkmGIRAqt2AKCv64BfPT/8M2guIwRZ6RfXOtInywCcCrKH
1BKmLMaxEh1yKIxkzE0Z9GA=
=3nGW
-----END PGP SIGNATURE-----

More information about the Kent mailing list