Manuel Reimer
2008-Jul-21 15:08 UTC
[CentOS] How to get additional packages? How secure is Yum?
Hello, I'm coming from Slackware and I'm searching for another distribution to run on my desktop and in near future also on a server. The *top priority* for me is security! I've test-installed CentOS on one of my test systems. So far anything went OK. After trying a bit, I would like to ask some questions: - What is the suggested way to get *secure and trusted* additional packages? I don't want packages packaged by "someone" who doesn't have the required experience and who doesn't do the packaging on a dedicated "build host" which isn't used for anything else than building packages. I tried the Dag-Repository. Seems to be well done and as Dag is member of the CentOS-Staff, I think his packages are trustworthy. Unfortunately I'm unsure if they are secure. For example there is a Drupal package which is *out of date*! So there should either be an update or the package maybe should be removed at all as it is a security hole! Is there a repository available which only has that much packages as the maintainer is able to keep secure? - My second question is about: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html Yum also seems to affected, so a malicious mirror would be able to downgrade a package on a server where it's suggested to be *upgraded* to a patched version. When will Yum be fixed and what is the suggested way to get Yum more secure? Thanks in advance for any answers. Yours Manuel -- () ascii ribbon campaign - against html mail /\ - gegen HTML-Mail answers as html mail will be deleted automatically! Antworten als HTML-Mail werden automatisch gel?scht! GMX Kostenlose Spiele: Einfach online spielen und Spa? haben mit Pastry Passion! http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196
Akemi Yagi
2008-Jul-21 15:16 UTC
[CentOS] How to get additional packages? How secure is Yum?
On Mon, Jul 21, 2008 at 8:08 AM, Manuel Reimer <Manuel.Reimer at gmx.de> wrote:> - My second question is about: > http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.htmlPlease read: http://planet.centos.org/ Akemi
Manuel Reimer wrote:> Hello, > > I'm coming from Slackware and I'm searching for another distribution to run > on my desktop and in near future also on a server. > > The *top priority* for me is security! > > I've test-installed CentOS on one of my test systems. So far anything went > OK. After trying a bit, I would like to ask some questions: > > - What is the suggested way to get *secure and trusted* additional packages? > I don't want packages packaged by "someone" who doesn't have the required > experience and who doesn't do the packaging on a dedicated "build host" > which isn't used for anything else than building packages.Security is pretty important for me too. For this, and other reasons I never point yum to 3rd party repositories. I only run CentOS/RHEL on servers. I run Debian on desktops(due to larger package selection and still long release cycles for stable). And usually Ubuntu on laptops(for more current hardware support). With that in mind, the 3rd party packages I get I inspect the version numbers by hand, and I build the source rpms myself, and install them via RPM (not via yum). I use a lot of src rpms from Dag's site for example. There aren't many 3rd party packages that are installed that are remotely accessible, and my systems have only trusted local users. Due to this I don't need to update the 3rd party packages very often (some, such as perl modules I don't even update). To-date anyways it has provided me with minimal hassle. There is some extra work up front building packages, depending on the size of your environment(mine is several hundred systems), the extra work is well worth it. If security is a top priority, and you really want to use CentOS/RHEL, then don't use 3rd party packages, period. Otherwise I suggest you find a distro that supports the applications you wish to run directly or maintain them yourself. And of course security/stability rarely means having the latest version. nate
Possibly Parallel Threads
- directories not correctly recognized rsync-3.0.4
- CIDR address/masklen matching support for permitopen="host:port" restrictions?
- CIDR address/masklen matching support for permitopen="host:port"
- Hostbased login based on SSHFP DNS records?
- rsync-3.0.3 crashes with protection exception