Compiling from the source

To run crap like PHP or NodeJS (and even decent things like nginx with uwsgi) fast and safely (with better security) one have to compile the engine itself and all the dependencies with hardened compiler flags (-fstack-protector-all and perhaps -fPIE and -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack, etc).

Ideally, one shall use hardened Gentoo as the hosting distro, but even Ubuntu LTS will do - just recompile everything user-facing, everything that listens to connections and everything that runs the code, with all the libs.

The easiest and most robust way is to use scripts similar to FreeBSD Ports, which installs everything into /usr/local (and, sometimes, into /opt). This strategy is still more than good-enough. It is simple and robust.

No fucking Docker (which uses apt), no Kubernetes or whatever over-"engineered" useless crap is being memed nowadays. Just ./configure --prefix=/usr/local.

FreeBSD ports-like shell scripts

The simplest and the most robust way is just to do

git clone --depth=1 --recurse-submodules --shallow-submodules git://
cd xxx
./configure --prefix=/usr/local
sudo make install

The Compiler flags (CFLAGS, CXXFLAGS, etc) in this case should be provided in environment variables, the way the configure script expects them to be specified.

Debian/Ubuntu/SRPM source packages

Each particular distro has its own source packages which are used to produce binary packages (for every supported architecture).

Download, change CFLAGS, recompile then upgrade the package.

To avoid further automatic upgrades explicitly forbid to upgrade this particular package.


If you need to install your own sources/versions - just package them and add set up an external repo. This is how Google Chrome is distributed.

It is just that simple. No fucking Docker images is needed.

Last modified 16 months ago Last modified on Aug 3, 2019, 6:24:36 AM
Note: See TracWiki for help on using the wiki.