Hello,
I'm coming from Slackware and I'm searching for another distribution to run on my desktop and in near future also on a server.
The *top priority* for me is security!
I've test-installed CentOS on one of my test systems. So far anything went OK. After trying a bit, I would like to ask some questions:
- What is the suggested way to get *secure and trusted* additional packages? I don't want packages packaged by "someone" who doesn't have the required experience and who doesn't do the packaging on a dedicated "build host" which isn't used for anything else than building packages.
I tried the Dag-Repository. Seems to be well done and as Dag is member of the CentOS-Staff, I think his packages are trustworthy. Unfortunately I'm unsure if they are secure. For example there is a Drupal package which is *out of date*! So there should either be an update or the package maybe should be removed at all as it is a security hole! Is there a repository available which only has that much packages as the maintainer is able to keep secure?
- My second question is about: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-pa...
Yum also seems to affected, so a malicious mirror would be able to downgrade a package on a server where it's suggested to be *upgraded* to a patched version.
When will Yum be fixed and what is the suggested way to get Yum more secure?
Thanks in advance for any answers.
Yours
Manuel