Why use Tiger builtin daemons?


A question that I have yet to see answered about OS X Server...
Why would anybody want to use the server builtin features for some simple things like webserving, ftp, mail, etc? I can understand how nice the GUI is for Kerberos / LDAP / OD / Windows share stuff, but it's pretty darn simple to compile Apache / PHP / MySQL / Postfix (or MTA of choice). It seems to me that Apple's updates for these pieces of software are fairly slow, which would mean that the system is inherently less secure than it should be. I mean, take something like BIND - it's insecure in the 10.4.2 configuration (using BIND 9.2.2, rather than 9.3.0) -- but it also seems like it should be up to 9.3.0, since it is one of the top 3 SANS vulnerabilities!

Do people really just use OS X Server because it slaps a pretty GUI on everything? I'm planning on putting my MAMP / Postfix system offsite, in a data center that's about 30 minutes away. Whenever a new patch comes out, it will be difficult to go out there _every_ time, so I need to be able to update all my software *quickly* via the command line. In this case, should I just plan on turning off all of Apple's builtin packages, and running my own daemons via a compiled setup, perhaps located in /opt?

Does anyone have a compelling reason (outside of lack of knowledge / desire to spend effort) why they should put up with flawed daemon software, just to get a GUI?



Seems like most of the daemons your talking about could be replaced without loosing any of the GUI functionality. (I could be wrong about that, so don't hold me to it.)

Also, be aware that you can do Apple's software update remotely (either from the Server Admin application or the command line).

Personally, I think the most helpful GUI piece on Mac OS X Server is probably the workgroup manager, wherein you work with user, groups, and sharepoints. Most of the Server Admin (perhaps save the stuff you mentioned above) is just sugar on top.

If you decide to just compile all your own daemons, and not use the GUI tools included in OS X Server, than you should realize you've overpaid for Mac OS X Server (shoulda just bought the client). Also, I would imagine compiling your own updates every time would entail more downtime for upgrades (I could be wrong about that, though).


OK, so for a situation where users / groups / sharepoints don't really apply (e.g. mine), the server admin gui is pretty unnecessary it seems. I purchased the XServes, mostly because we had the money and the hardware is bueno, so the software is gravy.

I know that you can use the software update from the cli, but it takes a long while for Apple to actually port the binaries over, then issue them from SU.

Mostly what I meant, was, it seems like they've done a pretty good job getting stuff integrated into a central management point, but it does take Apple a little while to distribute patches for Apache and the like. What do people out there do -- do you build your own kits piecemeal, to have a better idea of what's going on, or do you run Apple's default configuration? How secure would you reckon that Apache 1.3.xx / BIND 9.2.2 / other unpatched sw is? After all, the major rule of being a sysadmin is to make sure your stuff is patched -- but it takes Apple a long time to release patches through it's SU feature!