Two things have been weighing on my mind regarding security issues. The first is that when I downloaded the CentOS 4.1 ISO images, I could not get the sums to match even using different downloads from different mirrors. I decided that that I was doing something wrong and decided to trust the images. So far no regrets. But I am concerned that I get it right the next time. I thought I had read everything carefully and I also had a small amount of experience with them in the past. Decided eventually maybe they just hadn't been updated (this was about a month or so ago, IIRC?). Can one post the command used to gen the numbers so I can use the correct parameters next time? TIA My second concern is with security update announcements. For all the announcers but one (IIRC) I get "Invalid signature" displayed (using Evolution). I would ask "Should I be concerned?", but the answer is self-evident in security circles. So instead, I'll ask if this is acceptable in the official CentOS and I can continue to rely on their stuff in their opinion. Again, TIA And, please, no comments on the irony inherent in this. We don't want to be un-subscribed, otherwise castigated or fan the flames of possible list moderation. I know "the powers that be" will appreciate our cooperation. Last TIA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20051012/52967d3a/attachment-0002.sig>
On 10/12/05, William L. Maltby <BillsCentOS at triad.rr.com> wrote:> Two things have been weighing on my mind regarding security issues. > > The first is that when I downloaded the CentOS 4.1 ISO images, I could > not get the sums to match even using different downloads from different > mirrors. I decided that that I was doing something wrong and decided to > trust the images. So far no regrets. But I am concerned that I get it > right the next time. I thought I had read everything carefully and I > also had a small amount of experience with them in the past. Decided > eventually maybe they just hadn't been updated (this was about a month > or so ago, IIRC?). > > Can one post the command used to gen the numbers so I can use the > correct parameters next time? >Windows and sums are problematic. When you boot the suspect CD set run the check CD option. Unless you can download and check on a *nix box. -- Leonard Isham, CISSP Ostendo non ostento.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12 Oct 2005 at 9:20, William L. Maltby wrote: <snip>> My second concern is with security update announcements. For all the > announcers but one (IIRC) I get "Invalid signature" displayed (using > Evolution). I would ask "Should I be concerned?", but the answer is > self-evident in security circles. So instead, I'll ask if this is > acceptable in the official CentOS and I can continue to rely on their > stuff in their opinion.Do you have any more detail as to why the invalid signatures? Does it give you a different message if you haven't imported someone's public key? You might want to check out your GPG integration setup with Evolution. I'm using Thunderbird/Enigmail to read list mail, and all of the CentOS announcement messages have verifiable signatures. I assume you have no trouble with PGP/MIME since that appears to be what you're using... - ---- Nels Lindquist <*> Information Systems Manager Morningstar Air Express Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDTTdxbxRqvNchgLQRAjdNAJ9wlUbuQKj6luAHShr25aOvjfA9TwCfU5sX UjD4Xtqla00YOj7Z/oS2dw8=vlwz -----END PGP SIGNATURE-----