General questions about install order and variants (Apache2, PHP5, PostgreSQL, mySQL)

[Ryan Schmidt]

Hi Bill. I've responded to much of what you written, and snipped the  
rest:

On May 18, 2007, at 12:57, Bill Hernandez wrote:

> Over time I've installed so many different versions software  
> (mostly Apache, php, pgsql, and a myriad of dependencies) in the  
> form of binaries & source installs on my workstation, and on the  
> servers that after a while I began to feel that I had no clue  
> what's what, or what was where, a big unruly mix and match...
>
> Over time there have been a number of binaries,  some better than  
> others. At first I tried binaries from marc liyanage, and others,  
> and the problem for me with the binaries was :
> ( 1 ) that you were always from moderately behind, to far behind  
> the current versions.
> ( 2 ) by their nature there's no choice on where, what options,  
> versions, etc are installed.

I started with Marc's PHP 4 package too. Maybe a year or two ago he  
did in fact start making the selection of some of the modules  
configurable through the Mac OS X Installer package. But I switched  
away from his packages when he was too busy to provide a PHP 5 package.

> Some people put a great deal of effort into creating these  
> binaries, and for the most part grateful as you were that someone  
> took the time, they never quite solved the problem.
>
> I began installing from source and found that to be an excercise in  
> total frustration. If you did a simple
> ./configure (with maybe a couple of simple options)
> ./make
> ./sudo make install
>
> things might install as advertised, but even then you might get  
> failures because you are missing some dependency, or you don't have  
> the correct version of openssl, or libxml, or some other such thing  
> and the install requires a later version. Not to even mention all  
> the warnings the compiler doles out about unsigned variables, etc.
>
> Sometimes when you get involved in what you feel is going to be a  
> 30 minute deal, and three days later at 3:15 am you've installed a  
> boat-load of dependent software, you're on the last leg and the  
> last one just refuses to compile with some cryptic message. You  
> begin to feel like you're inside a huge snowball rolling down the  
> mountain totally out of control, and there's a big giant Sequoia at  
> the bottom, and you just know it's got you name on it. Now you have  
> all this stuff installed that won't work and the only choice is to  
> re-format/erase the drive and restore from the latest backup to try  
> to get back to where you were 72 hours prior. Get that started and  
> go to bed, and hope the next day you'll feel better...

MacPorts is a great help here, because not only are portfiles already  
written, containing a set of configure options that are though to be  
useful, but MacPorts also keeps track of what each software package  
installed. If you want to just remove one of the software packages  
you installed with MacPorts, that's no problem, because it knows what  
files came with what ports so it can uninstall them safely. Also, all  
(well, most) of MacPorts goes into /opt/local, which means if you get  
totally screwed up, you just blast away /opt/local and everything  
(well, most of it) is gone, without having affected your OS in any way.

> I used to think I was reasonably safe behind the routers/firewalls,  
> and behind the OSX Server Firewalls until I began reading all the  
> daily vulnerability reports. In fact since I do this as a hobby  
> now, I shutdown all the servers the other day, and ordered a new  
> SonicWall TZ 180 Wireless, which supposedly will allow me to  
> encrypt all wireless access from my workstation or laptop at home.  
> This course that my wife took, and the "Sans OnDemand" stuff is  
> really worth the money. I used to think it would be nice to shell  
> out the multi-thousand dollars for Cisco, only to find out that it  
> doesn't matter what you have, it's all vulnerable, whether it's  
> Cisco, SonicWall, etc. the only hope we have is defense in depth.  
> For those of us that can write shell scripts, but are not in the  
> super-guru category, the opportunities that wrong flag or something  
> to that effect can produce is vulnerability issue is far too real.
>
> When I started doing this, if you were a programmer you could make  
> really good money. Now that so much of the programming has gone  
> overseas, and everybody and their brother writes some level  
> software, a course like this really wakes you up to the realization  
> that even the average user's computer is in great peril of being  
> used as a parking source to robots, hackers, worms, trojans, etc.  
> from which to launch their attacks. I used to think my stuff was  
> reasonably safe, being OSX based, and after this course I can see  
> that I've been in the land of OZ.

This is sort of a side issue, but I want to say that I feel  
completely safe with Mac OS X. I have used it since Public Beta was  
made available 7 years ago, have never had any kind of antivirus  
software on it, and have never had any virus or similar malware  
appear. I'm still not aware of any that's ever been written for Mac  
OS X! Sure, there has been the occasional news article about some Mac  
malware, but you have to actively work to get it installed on your  
machine, which nobody would do. And there have been a few issues in  
Mac OS X that would make it easier for unwanted software to end up on  
your machine, but Apple releases security updates to patch these  
problems.

The only time I got something unwanted on my machine was when I was  
directly connected to the cable modem (I didn't have a router at the  
time), and had ssh turned on, and had a testing account on my machine  
with username and password "test". Someone figured this out, logged  
in, and deposited a little program in my /tmp/ directory and ran it.  
But that was easy to spot and nuke, and I shouldn't have been so  
silly with my account name and password. And now I have a wireless  
router which does not forward any unrequested traffic to my machine.

> What a happy life I had before I bought my first TI 16  
> something_or_other, before the Commodore 64 and the Aplle II  
> computers. I can truthfully say that have sucked the very life out  
> of my soul, they were supposed to make life easier, supposed to  
> help us have more free time, huh ? OS X has made things a lot  
> better in some respects, and  worse in others. We don't suffer  
> crashes 3 times a day any more, that's good...

At the web site development company I worked for, it was  
approximately monthly that we decided we all needed to throw our  
computers out the window and open up a hot dog stand instead. We  
always seemed to come back to the office the next day though...

> Anyway, great as the Mac has been, Apple has done a very poor job  
> in providing help to upgrade the ancient versions of software that  
> come with the OS. They install dark age versions of all kinds of  
> things and never seem to have a path to upgrade any of this stuff.

I see the reason Apple does this though. New major versions of  
software frequently break things. Mac OS X 10.4.9 currently has PHP  
4.4.4, for example, in /usr/bin/php. PHP 5.2.2 is the currently  
recommended version from the PHP group. But if Apple were to silently  
upgrade PHP to 5.2.2, some of the user's PHP scripts, which were  
written to PHP 4 standards, could break, because some things did  
change between PHP 4 and PHP 5. Apple's thought process is probably  
that the user bought the product "Mac OS X Tiger" and is now writing  
or using other software that works with that product. If Apple  
suddenly changes the composition of that product midstream, that's  
not good. It's nice for developers to be able to say "My product  
works with Mac OS X Tiger" and that's all they need to say, as  
opposed to "My product works with Mac OS X Tiger thru 10.4.8, but  
10.4.9 broke it so please don't update yet." Then users would be more  
wary of installing system updates, and they wouldn't benefit from the  
other fixes included in that or subsequent updates.

Rather, Apple seems to have a history of making major updates to  
installed packages only at paid update points, at major OS releases,  
like the upcoming "Mac OS X Leopard." If someone goes to the trouble  
of purchasing this new product and installing it from disc, the user  
can expect that they would also need to upgrade other software to  
versions compatible with this new OS product. I have a feeling  
Leopard will include PHP 5, for example, and maybe even Apache 2.

Apple does update the installed packages more frequently if security  
concerns demand it. For example, I believe Tiger used to ship with  
PHP 4.3, but 4.4.4 must have addressed some security issues, so it  
was delivered in one of the monthly Security Updates.

> The user has to resort to things like FINK, etc. which puts stuff  
> in non-standard locations "/sw".

It's safer, really. This way Fink (in /sw) and MacPorts (in /opt/ 
local) are completely (mostly) isolated from the rest of the OS.  
Makes it much easier to disentangle later. If MacPorts (or you,  
manually) were to install on top of things provided by the OS, the OS  
might break in mysterious ways. Apple wouldn't be able to help you,  
because they never tried to do what you're doing. And other MacPorts  
users wouldn't be able to help you, because they don't know what else  
you've installed on your machine. Much better when things are cleanly  
separated as they are.

> In my opinion Apple is in a perfect position to know where  
> everything, and I mean EVERYTHING (pathwise, and dependency wise)  
> is located since they shipped it installed. So that even if they  
> are not going to handle the upgrades from Apache 1.3 on OSX, or  
> Apache 2.0.52 on OSX Server, or openssl .96d, or php 4.x to the  
> current versions, they should have some really good instructions on  
> how to replace and upgrade the existing outdated versions.  
> Shamefully they don't do anything of the sort...
>
> Perhaps if you are a home user with an iMac or a laptop you can get  
> by with Apache 1.3, (we're talking 4 or 5 years after Apache 2  
> became available) but certainly if you are shelling out a bunch of  
> money for OSX Server, Apple should be more forthcoming. Their  
> policy seems to be install it and forget. The user won't notice how  
> ancient this stuff is, and even if they do "We'll just tell them  
> that's not part of the 90 day support"...

First off, Mac OS X Server has included Apache 2 for many many years.  
Granted, it's not the default, and you can't use their pretty GUI to  
configure it, but it is there and can be used.

As to the support AppleCare provides, it's not really their job to  
help you with UNIXisms. AppleCare's job is to make sure Mom can check  
her email and make a photo book to send out at Christmas, Billy can  
video chat with his friends to talk about the movie they're going to  
make to show off their skateboarding skills, and Dad can make an  
impressive Keynote presentation so he can get promoted to Assistant  
Manager. And if you've paid $1000 for Mac OS X Server support, then  
their job is to help you with server management tasks using Apple  
tools. But that's about it. UNIX system administration requires many  
more additional skills, which AppleCare representatives do not  
receive any training for and are therefore in no position to impart  
to you.

> It's hard for me to believe that Apple is totally unconcerned with  
> this problem. In my opinion Apple's lack of interest in maintaining  
> the software packages they pre-install with the OS up to date is  
> shameful. I do not think they should be responsible for any user  
> installed stuff, but they should certainly provide a way to keep  
> software that comes with the OS up to date, such as the software  
> previously mentioned...

Apple does keep the OS up-to-date with regular software updates, and  
they are very easy to install; just click the Install button.  
However, IMHO in order to maintain software compatibility throughout  
the life of the OS product, they don't make major changes to the  
installed packages until the next major OS release.

> Before I install (Apache2, PHP5, PostgreSQL, mySQL) I wanted to  
> find out if there was a preferred way of doing this ?
>
> It seems like PHP should be last because of the --with APXS2 that  
> requires a path  to Apache, but in this case where MacPorts knows  
> where everything is going to be installed anyway maybe it doesn'  
> matter ?

Ports in MacPorts define what other ports they depend on, but the  
syntax does not at present allow it to specify what *variants* of  
that port would be ideal. So, for example, if you do not yet have  
mysql5 installed, and you install php5 +apache2 +mysql5, MacPorts  
will install apache2 and mysql5 for you first, but with the default  
set of variants. If you want to run a MySQL server, however, you will  
want to install mysql5 +server. So it would behoove you to install  
mysql5 +server first, then install php5 with the desired variants.  
Otherwise you will have to later forcibly uninstall the non-server  
mysql5 and then install mysql5 +server.