[tkiley]

It seems like it's good to be able to rebuild everything at a moment's notice after patching against a major exploit, though. You should have a fast way to rebuild secrets and servers after the next heartbleed-scale vulnerability.

[tptacek]

Being able to rebuild critical infrastructure from source, and know that you'll be able to reliably deploy it, is a _huge_ win for security.

After a bunch of harrowing experiences with clients, I'm pretty close to believing "using packages for critical infrastructure is a bad idea".

[helloiamaperson]

Being able to rebuild critical infrastructure from source, and know that you'll be able to reliably deploy it, is a _huge_ win for security.

In that case, you might be interested in bosh: http://bosh.io/docs/problems.html (the tool that enables the workflow jacques_chester was describing). It embraces the idea of reliably building from source for the exact reasons you've mentioned.

[Gigablah]

I'm confused now, earlier you recommended patches over rebuilding continuously from source, but this seems like the opposite?

[Noumenon72]

What does "packages" mean here? Sorry.

[edmccard]

My guess is that "packages" is shorthand for "binary packages", as opposed to being able to redeploy from source.

[tptacek]

Nod.

[Gigablah]

I'm guessing they meant to write "patches".