Re: BDB selection, et al.

[Howard Chu <hyc@symas.com>]

Quanah Gibson-Mount wrote:
> --On Friday, July 18, 2008 9:11 PM -0400 William Jojo<jojowil@hvcc.edu>
> wrote:

> > I have noticed that the Symas packages user BDB 4.2 (with 2.3.42) as does
> > Ubuntu with 2.4.9+. I was wondering what the preference is over 4.4
> > (which I use) and 4.[67].
>
> 4.2.52 + patches has the longest history of being solid.
>
> 4.3 was a disaster
>
> 4.4 was likely okay
>
> 4.5 was likely okay
>
> 4.6 also seems okay, and has some useful improvements
>
> 4.7 is not yet supported, but will be in a future release, and has
> additional useful improvements over 4.6.

4.7 can be made to work, if you're willing to tweak things a bit. The memory 
manager in 4.6 is much improved over earlier versions; the memory manager in 
4.7 is slightly better still. The lock manager in 4.7 is more efficient in 
multi-core systems than in previous versions.

> > I ask because I build OpenLDAP (among other things) for AIX 5.2/5.3/6.1
> > at (shameless plug) http://pware.hvcc.edu/ and I was considering moving
> > to 2.4.10 with BDB 4.6, but now I am not certain where to go for a few of
> > reasons:
> >
> > * Why the choice to stay with BDB 4.2?
>
> Proven track record over later releases (4.4, 4.5) for stability and
> performance.
>
> > * And OpenSSL 0.9.7l (over the 0.9.8 series)?
>
> I use OpenSSL 0.9.8 in my builds and have for ages.

The Symas OpenLDAP 2.4 packages also use OpenSSL 0.9.8. However, the OpenSSL 
build system changed, making it more difficult to complete the Windows build. 
That's one of the reasons we stayed with 0.9.7 for so long in our OpenLDAP 2.3 
packages.
> > * 2.3.39 has been *stable* since 11/2007 and I have not moved from that
> > point within the software suite offered. Is a later version of 2.3 going
> > to be marked stable (like 2.3.42.1 is in the Symas prodcut).
>
> Not likely.

True, no further 2.3.x release will be marked Stable.

> Stable is really a fairly meaningless term.

False. At the time that a release was marked stable, it was considered the 
most stable release. I.e., after sufficient amount of time in release, no 
major issues were discovered.

> Assigning meaning
> to it as a guideline as to what version to build is a very bad idea.
> There's a major DoS vulnerability in 2.3.39, for example, that was fixed in
> 2.3.43 and 2.4.11.

It's important to note that the Stable marker only changes if there's a new 
release that we consider stable. The subsequent discovery of bugs in a Stable 
release won't trigger the removal of that marker. So 2.3.39 is still marked 
Stable, even though important bug fixes are in 2.3.43, because those bugs were 
discovered long after 2.3.39 was released.

In the meantime, when moving the Stable marker, the Project's practice has 
been that it can only be moved to the Current release stream, which is 2.4. 
But we haven't yet seen a 2.4 release remain long enough in public use without 
new issues quickly being discovered. So there is not yet a new Stable release.

> > * 2.4.x seems stable enough to me and certainly to Ubuntu x86[_64], but I
> > would like some other indication that I should make the leap before I
> > begin to change dependencies to several of the products I produce. Is
> > 2.4.x going to be marked stable in the near future?

> Hopefully.  Note that stable does not remotely mean bug free (or relatively
> low in bug count).  It simply means stable as far as core (i.e., not new)
> functionality is concerned.

No. It means low bug count as of a particular point in time, e.g., within a 
couple weeks after the release.

And as I recall, we need to get to a feature freeze in the core code first. I 
think 2.4 is just about at this point now.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/