Who is the behind Webtatic repository and do you trust it

repository centos redhat

Back when I first started as a Linux admin 8 years ago I used to use a popular third party repository to upgrade my LAMP stack. It was run by a single individual. One of the primary reasons was developers pressuring me for a newer version of PHP than what came with RHEL 5. It ended up biting me.

The person abandoned the repositories so I was no longer getting security updates, but I also could not remove all the newer packages and go back to the RHEL packages due to the RHEL version of PHP being from too old a branch. Moving to that repository's LAMP stack touched at-least half a dozen packages or more. So, maintaining those packages and recompiling them all by hand from time to time would be a major PITA.

You also lose the ability to use the OS vendor's security advisories regarding CVE vulnerabilities to determine whether your system is or is not vulnerable to a certain exploit for those packages. This proved to be a major problem for me years later, even though I would have never anticipated at the time.

So, in addition to having trust in the maintainers integrity and technical skills, you have to ask yourself whether you trust them not to move on to a new job that wont allow them to maintain the repository, or get married and have kids and no longer have time, etc....

Since then I have been very skittish about using any third party repositories, especially those that only have one person running them.


The question is not if we trust Andy, it is if you trust Andy.

I'm not familiar with the repository but the donation button suggests a personal effort. Feel free to contribute if it has value to you.

Packages look to be GnuPG signed, so it is possible to verify with some certainty the packages are authentic. You can also check if he is on the web of trust.

Regarding quality or security, its best if someone else has a look at how the repository is doing. This could be you. Subscribe to the upstream security advisories and check if they are affected. Evaluate the packages as a reviewer would for Fedora.

If continuity of these packages is important to you, acquire similar skills. Learn packaging or hire someone who can.


Remi is the standard for latest builds of PHP for RHEL. He is a long established and reliable source for RPM packages that's being actively maintained and includes as many relevant packages as possible.

The webtatic source is unknown and untrusted. It shouldn't be used at all.

I found it running on a legacy system. It had a serious memory leak in it. I replaced it with Remi, exactly the same PHP version and suddenly everything's running smoothly. I don't think it's even a stable compile.

Related

Up-to-date alternatives of rssh or scponly [closed]
How do you troubleshoot wireless woes?
Beginners questions on how RADIUS and WiFi authentication works
Apache mod_proxy vs mod_rewrite
"-bash: telnet: command not found " error?
Exact meaning of RX 'errors' and 'frame' in ifconfig output?
what is the point of stripping a binary/elf program?
How to do the equivalent of Synology Hybrid Raid on Linux myself?
Is BitTorrent good for copy files between servers in the workplace?
Interpreting ethtool Coalesce output
Possible to close port 80 and still use port 443?
Is there a Windows CMD equivalent of Unix shell's exec?