[CentOS] How to get additional packages? How secure is Yum?

Manuel Reimer Manuel.Reimer at gmx.de
Mon Jul 21 15:08:57 UTC 2008


Hello,

I'm coming from Slackware and I'm searching for another distribution to run on my desktop and in near future also on a server.

The *top priority* for me is security!

I've test-installed CentOS on one of my test systems. So far anything went OK. After trying a bit, I would like to ask some questions:

- What is the suggested way to get *secure and trusted* additional packages? I don't want packages packaged by "someone" who doesn't have the required experience and who doesn't do the packaging on a dedicated "build host" which isn't used for anything else than building packages.

I tried the Dag-Repository. Seems to be well done and as Dag is member of the CentOS-Staff, I think his packages are trustworthy. Unfortunately I'm unsure if they are secure. For example there is a Drupal package which is *out of date*! So there should either be an update or the package maybe should be removed at all as it is a security hole! Is there a repository available which only has that much packages as the maintainer is able to keep secure?

- My second question is about:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

Yum also seems to affected, so a malicious mirror would be able to downgrade a package on a server where it's suggested to be *upgraded* to a patched version.

When will Yum be fixed and what is the suggested way to get Yum more secure?

Thanks in advance for any answers.

Yours

Manuel
-- 
()  ascii ribbon campaign - against html mail
/\                        - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion!
http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196



More information about the CentOS mailing list