Should I use the CentOS package version in the (official) repositories, or the latest stable versions of the packages?

GiggleSquid asked:

This is an open ended question, but I do wish to have a constructive and helpful discussion into this topic.

So to clarify on the question:
On a server running CentOS 7 (or any other Linux distro/version for that matter) Is it best to stick with the package version in the Base/EPEL repo or is it fine to get the latest stable version form the package site? In this case I am more specifically referring to packages like nginx, MariaDB and PHP 7.
For example, what would be the pros and cons of installing nginx 1.8.0 over the EPEL version 1.6.3?
Are there any performance differences or security risks either way?

All discussion and experience is welcome, please try to cite resources and facts.

My answer:

Matthew Ife’s and shodanshok’s answers cover the issues in general, but I want to address your specific concern by putting the issues in context, as it is exactly these sorts of systems that I manage.

My current build for deploying PHP/MySQL web apps is:

First, let’s consider why we choose a particular distribution or package set. Either we value stability over the latest features, or we value the latest features over stability. It’s not generally possible to have both in the same distribution, as stabilizing software requires time to fix bugs, and adding new features introduces bugs, thus instability.

As a general rule I want the operating system on which the application runs to be as stable as possible, but with a reasonably modern feature set. Thus I’ll choose CentOS 7 over CentOS 6, which is rather old at this point, and while it will work, it doesn’t have as much time left in its support lifecycle, so I won’t use it for a new project.

However, I then ran into the issue that the version of nginx included with CentOS was too old and did not have some required features and bug fixes. Thus I went searching for alternate packages, and found that distributes their own. I switched to them almost immediately and have found them perfectly stable over the long haul.

Then there is PHP. I know from history that the version of PHP shipped with CentOS will be the only version it ever gets, and will only get security updates; no new features or bug fixes. Thus, once it is out of support upstream, I am eventually going to be unable to run modern PHP web applications if I use those packages. Thus it’s necessary to replace these as well.

From long experience I’ve learned that it’s best to track bugfix releases with PHP, not simply to freeze at one point release and take only security fixes, as the web applications I run will also be updated and will need those bugfixes. So after evaluating many different sets of PHP packages, I settled upon remi’s pacakges. Remi happens to be a Red Hat employee and is also responsible for the PHP packages in RHEL/CentOS. So I know his packages will be high quality, and they have been. They are drop-in replacements for the system packages and work perfectly.

Finally we get to MariaDB. You can choose to keep the system packages here and suffer no ill effects. I chose to switch to MariaDB’s 10.0 packages (and soon will go to 10.1) to take advantage of TokuDB and some other performance enhancements not available in the 5.5 version shipped with CentOS, and that it will never receive major upgrades for.

Overall you need stability in your base system, but web apps change much more rapidly than, say, line of business software, and your server will need to keep up. Thus I’ve chosen targeted points where upgrading packages will gain clear benefits with little additional administrative overhead (a.k.a. work).

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.