2

Using CentOS 6.5, I'm working on automating the installation of a few run-time libraries (git, java, maven).

Using yum install X, I've noticed that the installed version (via yum) may be earlier than the latest version available at the library's website.

The benefits of using a package management system are clear to me:

Package management systems are designed to save organizations time and money through remote administration and software distribution technology that eliminate the need for manual installs and updates. (source - Wikipedia)

Is using yum, which offers easy maintenance of libraries (a hard task), always preferable to installing the latest library version?

Why would it be better to choose the latest version of library X than use yum?

I'm asking since the currently chosen path is to use the latest version over yum, but using yum seems to be the superior choice.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Kevin Meredith
  • 1,269
  • 2
  • 15
  • 21
  • Unless you have a very compelling reason (for ex, there's a new feature you need) it's much better to use package management than installing manually, not only for the easier management but also because otherwise you are basically creating your own particular Linux distro to maintain. – LinuxDevOps Mar 27 '14 at 13:37

1 Answers1

5

Red Hat pick the version of any given tool they'll use when they launch a version of RHEL. For RHEL 6, this included Apache 2.2.15, the 2.6.32 kernel, php 5.3.3, and so on.

For the rest of the life of RHEL6, these will not be upgraded; Red Hat will instead backport any necessary patches (and occasionally, improvements which are felt to be desirable) to the version they have picked. That means that, as long as you stick to yum and the core repositories, you'll be running software whose version number suggests it's vulnerable to certain well-known exploits, but which has been patched to avoid those vulnerabilities.

Since CentOS follows upstream (ie, RH's) policy tightly, this applies to them, too. If you're finding later versions are catching your eye, you need to understand this; you might need a later version of (eg) libfoo because of functionality, but as long as you're running a supported core CentOS, you probably don't need a later version for security.

You speak of "using yum" vs. "installing the latest versions", but that's not a very good way to characterise the decision. Several people and organisations package later versions of certain libraries, toolchains, etc., than those that the core repositories provide. You can use those with yum by installing those repos into your /etc/yum.repos.d. It's better to speak of "using the core repositories via yum" vs. "using other repositories, also via yum" vs. "installing the latest versions by hand". In terms of both stability and convenience, those are listed in decreasing order.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Thanks for the thoughtful, detailed reply, MadHatter. With respect to core repos versus other repos, is using only the former considered best practice? My understanding of Red Hat is to focus on security & stability. So, if my understanding is true, then perhaps using another, non-RH repo could bring new features, but also possibly vulnerabilities? – Kevin Meredith Mar 27 '14 at 15:28
  • You;re welcome, and precisely so: with any prebuilt binary, there's a question of how much you trust both the packager's skill and their good intentions. With core, both are maximised; with popular 3rd party repos, one can still have quite a lot confidence; but I have seen some very fringe repos indeed, and I'm not sure I'd be happy to have software from them installed on a production system unless I had a **very** pressing business need. – MadHatter Mar 27 '14 at 15:34