December 20, 2004

Installing Fedora Core is more work than Gentoo

A few weeks back I made the decision to replace Gentoo with Fedora Core 2 on a machine used for our wiki. I justified it because I wanted to get the box built quickly and I believed that Fedora Core 2 would be a quick install. I was wrong.

Yes, after downloading the CDs you can use the graphical installer and be up and running in less than an hour. Unfortunately that's not where "building a box" ends for me.

First, I noticed that apache was several versions old, then that FC2 was using openssl.very.old. A new version of openssl wasn't available in up2date (according to a co-worker it's because a newer version isn't trusted yet - but the old version with several known exploits is better?). I decided, since the reason I'm rebuilding this machine is because it was hacked, that I need to be on a newer version of openssl.

The rpm dependencies show a ton of stuff that relies on openssl, I started to work through them and after 30 minutes got sick of it and just went ahead and build a new RPM and installed. Of course, as soon as I did that SSH failed. I went over to the physical machine and thought I'd get a new SSH built. Without openssl, wget dies looking for the libraries so I figure the best solution is to start over.

I rebuilt the box, choosing to install nothing except the basic packages. Everything I wanted to use (apache, perl, php, MySQL, openssl) were all significantly old enough that I'd rather have the barebones OS and build everything myself. I download openssl, openssh and wget. Next build and install a new RPM for openssl, and rebuild ssh and wget. After the good part of a day, I'm finally on my way to moving past the OS and onto the webserver, database etc.

Isn't this one of the main reasons I went to Gentoo, to get away from depending on RPM availability, the out-of date packages and having to deal with the constraints of RPM dependencies. How did I forget all that annoyance.

The truth is that I wouldn't have had to rebuild the box in the first place if I had been better about using Gentoo's emerge with some regularity, or at a minimum do a pretend and email the results.

Since we're up and running, I'm going to stick with FC2 for the time being, but next chance I get it will be back to Gentoo for that box.

