Two things have been weighing on my mind regarding security issues.
The first is that when I downloaded the CentOS 4.1 ISO images, I could not get the sums to match even using different downloads from different mirrors. I decided that that I was doing something wrong and decided to trust the images. So far no regrets. But I am concerned that I get it right the next time. I thought I had read everything carefully and I also had a small amount of experience with them in the past. Decided eventually maybe they just hadn't been updated (this was about a month or so ago, IIRC?).
Can one post the command used to gen the numbers so I can use the correct parameters next time?
TIA
My second concern is with security update announcements. For all the announcers but one (IIRC) I get "Invalid signature" displayed (using Evolution). I would ask "Should I be concerned?", but the answer is self-evident in security circles. So instead, I'll ask if this is acceptable in the official CentOS and I can continue to rely on their stuff in their opinion.
Again, TIA
And, please, no comments on the irony inherent in this. We don't want to be un-subscribed, otherwise castigated or fan the flames of possible list moderation. I know "the powers that be" will appreciate our cooperation.
Last TIA
On 10/12/05, William L. Maltby BillsCentOS@triad.rr.com wrote:
Two things have been weighing on my mind regarding security issues.
The first is that when I downloaded the CentOS 4.1 ISO images, I could not get the sums to match even using different downloads from different mirrors. I decided that that I was doing something wrong and decided to trust the images. So far no regrets. But I am concerned that I get it right the next time. I thought I had read everything carefully and I also had a small amount of experience with them in the past. Decided eventually maybe they just hadn't been updated (this was about a month or so ago, IIRC?).
Can one post the command used to gen the numbers so I can use the correct parameters next time?
Windows and sums are problematic. When you boot the suspect CD set run the check CD option.
Unless you can download and check on a *nix box.
-- Leonard Isham, CISSP Ostendo non ostento.
On Wed, 2005-10-12 at 09:45 -0400, Leonard Isham wrote:
On 10/12/05, William L. Maltby BillsCentOS@triad.rr.com wrote:
Two things have been weighing on my mind regarding security issues.
The first is that when I downloaded the CentOS 4.1 ISO images, I could not get the sums to match <snip...>
Can one post the command used to gen the numbers so I can use the correct parameters next time?
Windows and sums are problematic. When you boot the suspect CD set run the check CD option.
Did that. They checked OK, so I had some confidence. Still, I do hope that md5 sums or gpg stuff is truly usable and the error was mine.
Unless you can download and check on a *nix box.
I could, but I don't see the urgency if the 4.2 is coming out RSN.
-- Leonard Isham, CISSP Ostendo non ostento. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12 Oct 2005 at 9:20, William L. Maltby wrote:
<snip>
My second concern is with security update announcements. For all the announcers but one (IIRC) I get "Invalid signature" displayed (using Evolution). I would ask "Should I be concerned?", but the answer is self-evident in security circles. So instead, I'll ask if this is acceptable in the official CentOS and I can continue to rely on their stuff in their opinion.
Do you have any more detail as to why the invalid signatures? Does it give you a different message if you haven't imported someone's public key? You might want to check out your GPG integration setup with Evolution. I'm using Thunderbird/Enigmail to read list mail, and all of the CentOS announcement messages have verifiable signatures. I assume you have no trouble with PGP/MIME since that appears to be what you're using...
- ---- Nels Lindquist <*> Information Systems Manager Morningstar Air Express Inc.
Folks,
Just a quick reminder that the list is about CentOS.
And, since it's about CentOS, I just wanted to spend a couple minutes and thank the guy(s) that spend all the time and effort in repackaging, and making things work well. As a sysadmin, I really, really, really appriciate it. CentOS fills a niche that I think Redhat was short-sighted in neglecting, though I believe that I understand the reasoning behind the decision.
To the developer(s): Please don't let the bickering and negativity get you down. For every loud voice or strong personality, there are doubtless scores of folks that are using CentOS quietly. I think the CentOS project has a strong future, and many of the insignificant issues that are cropping up are symptoms of growth and project momentum.
Regarding list moderation: Of the lists to which I subscribe, several are moderated, and there is a general policy that corrective action happen off list. Public berating is rarely effective, in my experience, for it leads to defense, general malaise, the taking of sides, and other nasty and usually unintended side effects. Just something to consider...
As an aside, for the folks who read this far down, is there somewhere that I can look for CentOS volunteership, stuff as needs to be done, and like that?
Yours,
Jacob Leaver Senior Systems Adminstrator ReachONE Internet
On Wed, 2005-10-12 at 10:18 -0600, Nels Lindquist wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12 Oct 2005 at 9:20, William L. Maltby wrote:
<snip>
My second concern is with security update announcements. For all the announcers but one (IIRC) I get "Invalid signature" displayed (using Evolution). I would ask "Should I be concerned?", but the answer is self-evident in security circles. So instead, I'll ask if this is acceptable in the official CentOS and I can continue to rely on their stuff in their opinion.
Do you have any more detail as to why the invalid signatures? Does it give you a different message if you haven't imported someone's public key? You might want to check out your GPG integration setup with Evolution. I'm using Thunderbird/Enigmail to read list mail, and all of the CentOS announcement messages have verifiable signatures. I assume you have no trouble with PGP/MIME since that appears to be what you're using...
Thanks for the response. I'm really relatively new to all this security stuff *and* GUI/Gnome/KDE/... and have a background rooted in deep dark CLI past. No serious administration/security background either.
I installed CentOS, tried out a few utilities, saw all this GUI stuff, saw Evolution and decided to try it. As part of this, I set up my gpg key stuff, test sent a mail to me and saw "valid signature". I thought "Cool, made this as easy as Windows" (I don't like Windows much, but I have to use it sometimes). Based on your reply, it sounds like there is more I need to learn and setup.
Because I seemed to recall *some* of the sigs came across OK, my first assessment was that I should ask. I figured that those that shown as invalid signatures might be because the senders were not on their normal machines or other factors beyond my knowledge might be in play. So I opted to ask first.
Responding to what you posted, I started looking for one that came across OK, but don't have one saved. Further, the ones I do have saved all have invalid sig notifications. Ones I posted to the list have valid sig notifications and came back OK.
Taking your mention of "... importing someone's public key..." and the rest, I started doing some reading, realizing at that moment that this was not as automatic as Windows. Checking the config file, it looks like I have the servers correctly identified (which in my ignorance was all I thought was needed, thinking a key would be automatically fetched like in Windows). I have imported the public keys and it eliminated those messages.
Thanks for taking the time to get me started down the right road on this. Reading in progress on many new subjects....
Nels Lindquist <*> Information Systems Manager Morningstar Air Express Inc.
<snip rest of sig>
Related in a thread started by Rich Huff rich@richhuff.com "CentOS security signatures in Evolution"
-
Jacob Leaver -
Leonard Isham -
Nels Lindquist -
William L. Maltby