[sf-lug] about /usr/local and package management
rick at linuxmafia.com
Wed Oct 18 09:54:52 PDT 2006
Quoting jim stockford (jim at well.com):
> my take on a package-managed OS (Red Hat's RPM
> or Debian's APT) is that as much as possible the SA for
> the box should use the package manager exclusively.
_Hell_ yes. ;->
> Ideally this would obviate the good old tar management
> wrt system and box-wide software
> ...(to use tar to install software is to sidestep the benefits
> ...of package management--the package management
> ...database is not updated, and there's the fat-finger-effect
> ...of tar-ing in something that is managed, breaking the
> ...package management for that software).
> But there may be a legitimate need for tar-ing something
> in, for example chkrootkit.
Of course, most good distros have chkrootkit (and rkhunter) packaged,
and you can force-download/install the latest -- assuming you think you
can trust your system enough to do that.
(OTOH, if you use either of those packages for anything other than a
belt-and-suspenders crosscheck, you've already lost.)
> THE QUESTION: is the /usr/local/ space _properly_ a no
> man's land for tar-ing and other means of adding non-
> package-managed software (e.g. writing and compiling,
Correct. The packaging system is not supposed to ever touch that tree,
and it's for any software you feel a need to build/install outside your
distro package regime -- aka "locally installed software".
 How to check the security of a system whose software you don't trust
is a non-trivial problem.
More information about the sf-lug