PSA: Using generic binaries, especially something third-party and complex, such as postgres

Carsten SchmitzCarsten Schmitz IT Systems ArchitectWermelskirchen, GermanyPosts: 304 Specialist ✭✭✭✭
I've talked to various people at Automic about this before, but for the sake of general awareness, I feel like I should step on the soap box once more.

I just downloaded the latest AE package, and that includes a folder /External.Resources/postgresql/unix/linux/x64, which includes a tarball with Postgres 9.5.9-1.

While this is a relatively recent version of postgres, in my humble opinion it is not a good idea to ship anything this way, but especially complex stuff - or for customers to make use of this. There are two issues with this that customers considering this should be aware of:

  • one, by simply copying some binaries from a tarball and running them, the usual update mechanisms of a Linux distro will be cut out entirely. In this case, 9.5.9-1 is vulnurable to CVE-2017-15098, a vulnurability that potentially allows database connections to crash the server and expose server memory (fixed with 9.5.10).

  • two, using a binary compiled on an unknown platform on any given Linux (or even other UNIX machine) can lead to exciting problems. There are exactly two bulletproof ways to get software on a Linux system: To use a package (rpm, deb) or binaries for the specific distribution that have been pre-compiled by someone against the respective libc and kernel major versions of the target distribution, or to compile it oneself (configure ; make ; make install). Anything else is dependent on luck at best and it's support status is doubtful. You should at least make sure you use the same major libc version, if that's not the case, definetly go with your distribution's packages.
It should be noted though that at least one piece of Automic information claimed that version updates to things such as Postgres need to be pre-approved by Automic support, so for the full picture, there's that, too.

Specificially for postgres, you can see their versioning policy here (hint: 9.5 is a major version, and so is 9.6, the current major is 10 and from then on, tje major versions will be 11, 12 and so on). You can find their distribution specific binaries here (which are basically pointing to the distro's repos, in most cases).

Just my $0.02.
Two c, two t, two s, and one each of:  a e n h r m z i. As long as those letters are all there with no added bits, and are roughly in the right order, I don't mind much. Or just rearrange the letters in "Czar Stench-Mist" to fit. As for the first name: Car as in Automobile. sten as in the English machine pistol. Not Cart as in Shopping Cart, and definetly not Cart as in Cartman.

There would be a friendly smiley here, but the forum software first converts my smiley into an image, and then tells me that images are verboten *facepalm*

Sign In or Register to comment.