LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 08-20-2009, 04:35 PM   #1
techdruid
LQ Newbie
 
Registered: Apr 2009
Location: Portland, OR
Posts: 10

Rep: Reputation: 0
httpd-2.2.13-1.i386 rpm for fedora 9


Due to PCI compliance requirements I had to custom compile the new version of apache (httpd) web server. I figured that I'd try building an RPM for Fedora 9 httpd-2.2.13 during the process so I could apply it across multiple systems.

Links to the RPM's and technical details of how I built the RPM's can be found at the following location.

DISCLAIMER : Use these RPM's at your own risk. They are my first attempt ever at building.

http://www.techdruid.com/index.php/c...m-for-fedora-9

Good Luck.
 
Old 08-21-2009, 01:36 AM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
Since you mention PCI compliance, do they know that F9 is no longer supported? Fedora versions only last 13 mths.
You should think about moving to Centos 5.3 (free version of RHEL), which is updated for 7 yrs.
http://www.redhat.com/security/updates/errata/
 
Old 08-21-2009, 05:16 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,305
Blog Entries: 54

Rep: Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856
Quote:
Originally Posted by techdruid View Post
They are my first attempt ever at building.
That does not instill much confidence. However that could be mitigated by also offering (patches if any and) the .src.rpms for download you get when you run 'rpmbuild -bs httpd.spec'. That way people can inspect and rebuild their own version. (I'll skip the part of GPG-signing packages) Without freely downloadable .src.rpm I strongly suggest people do not install your packages and instead look for packages in official or semi-official but nonetheless trustworthy sources.
 
Old 08-21-2009, 11:17 PM   #4
techdruid
LQ Newbie
 
Registered: Apr 2009
Location: Portland, OR
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
Since you mention PCI compliance, do they know that F9 is no longer supported? Fedora versions only last 13 mths.
You should think about moving to Centos 5.3 (free version of RHEL), which is updated for 7 yrs.
http://www.redhat.com/security/updates/errata/
CentOS does not release updates that certain scan vendors deem necessary for compliance. At least not in a timely manner. I've had scan vendors tell me I needed a later version of something, but the CentOS distribution would not provide an update as they didn't see the upgrade as critical.

This is the reason I switched to Fedora from CentOS.

But alas. Either way it seems that I have to build custom rpm's to appease the scan vendors.
 
Old 08-21-2009, 11:20 PM   #5
techdruid
LQ Newbie
 
Registered: Apr 2009
Location: Portland, OR
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
That does not instill much confidence. However that could be mitigated by also offering (patches if any and) the .src.rpms for download you get when you run 'rpmbuild -bs httpd.spec'. That way people can inspect and rebuild their own version. (I'll skip the part of GPG-signing packages) Without freely downloadable .src.rpm I strongly suggest people do not install your packages and instead look for packages in official or semi-official but nonetheless trustworthy sources.
I didn't expect to instill much confidence. It was as much a learning experience for me, as it was to offer assistance to others.

Also, I'm definitely looking for feedback so that I can improve what I produce in the future. So I appreciate the feedback.

Thanks
Richard
 
Old 08-24-2009, 12:46 AM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
You do know that RHEL (& therefore Centos) don't keep upgrading the main pkg version nums, they just backport the necessary updates and adjust the release num instead eg

pkg-version-release.arch.rpm

where 'release num' indicates what backports have been done, see associated changelogs.
There's a nice breakdown here http://www.linuxtopia.org/online_boo...mpressing.html

Apologies if you already knew this
 
Old 08-24-2009, 11:38 PM   #7
techdruid
LQ Newbie
 
Registered: Apr 2009
Location: Portland, OR
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
You do know that RHEL (& therefore Centos) don't keep upgrading the main pkg version nums, they just backport the necessary updates and adjust the release num instead eg

pkg-version-release.arch.rpm
While I do understand the basic idea behind package an release numbers, I was not aware that they were not releasing new package numbers in conjunction with the software package. Thank you for clarifying this.

Can you tell me where on Red Hat's website I can find the details on what updates are included in their latest release of httpd-2.2.3-22.el5.centos.2 for example? Or perhaps on the CentOS website?

One concern here is that Apache released httpd 2.2.13 on 08-Aug-2009. The most recent release from Red Hat of 2.2.3-22.el5.centos.2 was on 14-Jul-2009. So I'm guessing they don't have the updates made on the 8th of August from Apache. My scan vendor is telling me this update is necessary.

Also. The sad part here is that there is no way for a PCI scan vendor to know if you have properly patched your system.

If I telnet into port 80 on a fully updated Centos 5.3 (Final) system, the version reported is "Server: Apache/2.2.3 (Red Hat)".

Now of course I have the option to go in and tell my vendor that I'm compliant and its a false positive. However, what happens if this disables the scan vendor from alerting when there's another update?

It seems to me that there is a certain amount of rooms for allowing a needed update to slip through the cracks. A system may go unpatched/unnoticed because the scan vendor is not alerting me.

Thanks again
 
Old 08-28-2009, 05:52 PM   #8
techdruid
LQ Newbie
 
Registered: Apr 2009
Location: Portland, OR
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
You do know that RHEL (& therefore Centos) don't keep upgrading the main pkg version nums, they just backport the necessary updates and adjust the release num instead eg
Clearly I acted too quickly in building these RPM's for Fedora.

After digging deeper into the problem with httpd release, I see that the actual problem is with the APR library. So, simply updating the version and banner of httpd did not actually resolve the problem with the APR library.

Red Hat in fact did release a patch to apr & apr-util on August 11th 2009. So I was incorrect to believe that they hadn't addressed this bug.

http://lwn.net/Alerts/346716/

Well, at least I've learned a lot about building RPM's. My latest builds for PHP rpm's resulted in me going back to build glibc rpm's as dependencies. Whew, what fun.
 
Old 08-29-2009, 02:22 PM   #9
techdruid
LQ Newbie
 
Registered: Apr 2009
Location: Portland, OR
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
... when you run 'rpmbuild -bs httpd.spec'. That way people can inspect and rebuild their own version.
I'm currently building (for learning/experience) glibc rpms. However, I noticed that there are many more binary RPM's and less source RPM's. Can you tell me if this is normal?

When I do an rpmbuild -bb -clean rpmbuild/SPECS/glibc.spec
I get the following RPMs

Code:
glibc-2.10.1-4.i386.rpm
glibc-devel-2.10.1-4.i386.rpm
glibc-static-2.10.1-4.i386.rpm
glibc-headers-2.10.1-4.i386.rpm
glibc-common-2.10.1-4.i386.rpm
nscd-2.10.1-4.i386.rpm
glibc-utils-2.10.1-4.i386.rpm
glibc-debuginfo-2.10.1-4.i386.rpm
glibc-debuginfo-common-2.10.1-4.i386.rpm
However, when I do an rmpbuild -bs rpmbuild/SPECS/glibc.spec
I only get the following source RPM

Code:
glibc-2.10.1-4.src.rpm
Does the source rpm include the details of all the binaries listed above?

Thanks in Advance
Richard
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
is it ok to use i386 rpm for i686 & how about src rpm amolgupta Linux - Software 4 05-01-2013 08:45 AM
httpd-2.2.13-1.i586 rpm for fedora 11 techdruid Fedora 1 08-21-2009 03:08 AM
Failure getting http://rpm.livna.org/fedora/7/i386/repodata/repomd.xml? quanta Fedora 3 10-11-2007 09:45 AM
.src.rpm, .i386.rpm and .i686.rpm hhegab Linux - Software 2 06-19-2003 07:19 AM
Problems with installation of httpd-dev-2.0.40-8.i386.rpm muhammade Linux - Software 1 01-21-2003 03:06 AM


All times are GMT -5. The time now is 07:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration