Carsten_Schmitz

PSA: Using generic binaries, especially something third-party and complex, such as postgres

Discussion created by Carsten_Schmitz on Dec 6, 2017
I've talked to various people at Automic about this before, but for the sake of general awareness, I feel like I should step on the soap box once more.

I just downloaded the latest AE package, and that includes a folder /External.Resources/postgresql/unix/linux/x64, which includes a tarball with Postgres 9.5.9-1.

While this is a relatively recent version of postgres, in my humble opinion it is not a good idea to ship anything this way, but especially complex stuff - or for customers to make use of this. There are two issues with this that customers considering this should be aware of:

  • one, by simply copying some binaries from a tarball and running them, the usual update mechanisms of a Linux distro will be cut out entirely. In this case, 9.5.9-1 is vulnurable to CVE-2017-15098, a vulnurability that potentially allows database connections to crash the server and expose server memory (fixed with 9.5.10).

  • two, using a binary compiled on an unknown platform on any given Linux (or even other UNIX machine) can lead to exciting problems. There are exactly twobulletproof ways to get software on a Linux system: To use a package (rpm, deb) or binaries for thespecific distributionthat have been pre-compiled by someone against the respective libc and kernel major versions of the target distribution, or to compile it oneself (configure ; make ; make install). Anything else is dependent on luck at best and it's support status is doubtful. You should at least make sure you use the same major libc version, if that's not the case,definetlygo with your distribution's packages.
It should be noted though that at least one piece of Automic information claimed that version updates to things such as Postgres need to be pre-approved by Automic support, so for the full picture, there's that, too.

Specificially for postgres, you can see their versioning policy here (hint: 9.5 is a major version, and so is 9.6, the current major is 10 and from then on, tje major versions will be 11, 12 and so on). You can find their distribution specific binaries here (which are basically pointing to the distro's repos, in most cases).

Just my $0.02.

Outcomes