[sf-lug] about /usr/local and package management

[Rick Moen]

Quoting jim stockford (jim at well.com):

>     my take on a package-managed OS (Red Hat's RPM
> or Debian's APT) is that as much as possible the SA for
> the box should use the package manager exclusively.
>     yes?

_Hell_ yes.  ;->

>     Ideally this would obviate the good old tar management
> wrt system and box-wide software
> ...(to use tar to install software is to sidestep the benefits
> ...of package management--the package management
> ...database is not updated, and there's the fat-finger-effect
> ...of tar-ing in something that is managed, breaking the
> ...package management for that software).
> 
>     But there may be a legitimate need for tar-ing something
> in, for example chkrootkit.

Of course, most good distros have chkrootkit (and rkhunter) packaged,
and you can force-download/install the latest -- assuming you think you
can trust your system enough to do that.[1]

(OTOH, if you use either of those packages for anything other than a
belt-and-suspenders crosscheck, you've already lost.)

>     THE QUESTION: is the /usr/local/ space _properly_ a no
> man's land for tar-ing and other means of adding non-
> package-managed software (e.g. writing and compiling,
> copying...)?

Correct.  The packaging system is not supposed to ever touch that tree,
and it's for any software you feel a need to build/install outside your
distro package regime -- aka "locally installed software".

[1] How to check the security of a system whose software you don't trust
is a non-trivial problem.