Hacker News new | past | comments | ask | show | jobs | submit login

That is what I suspected - in order to get an "A+" you have to recompile the web server (the article is for nginx but the same idea applies to Apache). I'm not saying this is a difficult process - but not something I want to do on a production system.

While, distro maintainers usually do a great job of maintaining software - I think it does highlight a certain need for another way to easily install bleeding edge without adding a whole other repo (which could contain/override versions of other software you may not want). You can always rpm/dpkg an individual package - but now your version will never been updated by the package manager, well by yum update/apt-get upgrade anyways (or even worse overwritten).




No. If you force HSTS it raises an A to an A+, which requires no recompiling.

Do PPAs not fit your use case?


Upon further research it looks like recompiling may no longer be needed. I remember awhile back some feature in a newer version of Apache - however I may be confusing that with my Ubuntu 10.04 (most of my other systems run Debian Wheezy).

In any case - PPAs are a patch for the problem not a solution (and specific to Ubuntu). PPAs require third-party support and if a security issue is found and he (or they) are on vacation - your custom version of Apache is vulnerable. It's not a big issue for something like Wine, but I would just have a warm fuzzy feeling if the security team behind the distro supported it.

I'm even guilty of using random debs however I always check for red flags and go with my gut feeling. I have worked with a group of Linux people who refused to install packages I wanted from the Red-Hat community repos onto the servers (though they would freely install packages they wanted...)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: