Hello,
I'm coming from Slackware and I'm searching for another distribution to run on my desktop and in near future also on a server.
The *top priority* for me is security!
I've test-installed CentOS on one of my test systems. So far anything went OK. After trying a bit, I would like to ask some questions:
- What is the suggested way to get *secure and trusted* additional packages? I don't want packages packaged by "someone" who doesn't have the required experience and who doesn't do the packaging on a dedicated "build host" which isn't used for anything else than building packages.
I tried the Dag-Repository. Seems to be well done and as Dag is member of the CentOS-Staff, I think his packages are trustworthy. Unfortunately I'm unsure if they are secure. For example there is a Drupal package which is *out of date*! So there should either be an update or the package maybe should be removed at all as it is a security hole! Is there a repository available which only has that much packages as the maintainer is able to keep secure?
- My second question is about: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-pa...
Yum also seems to affected, so a malicious mirror would be able to downgrade a package on a server where it's suggested to be *upgraded* to a patched version.
When will Yum be fixed and what is the suggested way to get Yum more secure?
Thanks in advance for any answers.
Yours
Manuel
On Mon, Jul 21, 2008 at 8:08 AM, Manuel Reimer Manuel.Reimer@gmx.de wrote:
- My second question is about:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-pa...
Please read: http://planet.centos.org/
Akemi
Manuel Reimer wrote:
Hello,
I'm coming from Slackware and I'm searching for another distribution to run on my desktop and in near future also on a server.
The *top priority* for me is security!
I've test-installed CentOS on one of my test systems. So far anything went OK. After trying a bit, I would like to ask some questions:
- What is the suggested way to get *secure and trusted* additional packages?
I don't want packages packaged by "someone" who doesn't have the required experience and who doesn't do the packaging on a dedicated "build host" which isn't used for anything else than building packages.
Security is pretty important for me too. For this, and other reasons I never point yum to 3rd party repositories. I only run CentOS/RHEL on servers. I run Debian on desktops(due to larger package selection and still long release cycles for stable). And usually Ubuntu on laptops(for more current hardware support).
With that in mind, the 3rd party packages I get I inspect the version numbers by hand, and I build the source rpms myself, and install them via RPM (not via yum). I use a lot of src rpms from Dag's site for example. There aren't many 3rd party packages that are installed that are remotely accessible, and my systems have only trusted local users. Due to this I don't need to update the 3rd party packages very often (some, such as perl modules I don't even update).
To-date anyways it has provided me with minimal hassle. There is some extra work up front building packages, depending on the size of your environment(mine is several hundred systems), the extra work is well worth it.
If security is a top priority, and you really want to use CentOS/RHEL, then don't use 3rd party packages, period. Otherwise I suggest you find a distro that supports the applications you wish to run directly or maintain them yourself.
And of course security/stability rarely means having the latest version.
nate
"nate" wrote:
Security is pretty important for me too. For this, and other reasons I never point yum to 3rd party repositories. I only run CentOS/RHEL on servers. I run Debian on desktops(due to larger package selection and still long release cycles for stable). And usually Ubuntu on laptops(for more current hardware support).
Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago?
Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want "Firefox" and *not* "Iceweasel".
If security is a top priority, and you really want to use CentOS/RHEL, then don't use 3rd party packages, period. Otherwise I suggest you find a distro that supports the applications you wish to run directly or maintain them yourself.
I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs...
CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository...
And of course security/stability rarely means having the latest version.
Of course.
Am I on the right list? Not very much answers, so far...
CU
Manuel
Manuel Reimer wrote:
Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago?
Yeah, fortunately I wasn't really affected, my systems weren't upgraded to the affected packages. (I didn't upgrade to the latest stable until fairly recently). Shit happens, nobody is perfect. But the fact remains that it's still supported by someone. I don't advocate debian for everyone I was just giving an example of a distribution that has long release cycles similar to RHEL, and a much wider selection of packages that are actively supported by the base vendor.
Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want "Firefox" and *not* "Iceweasel".
Then don't use iceweasel, download firefox and install it yourself. It's not hard. I don't really care either way but I do like the fact that they back port security fixes. I did that for years myself, back in the early firefox and phoenix days. I haven't been on a debian mailing list in 5-6 years so haven't seen the political stuff, but still I didn't really care back then either.
I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs...
Maybe time to roll your own :)
CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository...
I agree, that's one of my main "complaints" about RHEL is the lack of packages. I checked and I have about 55 source rpms that I custom build to install on my systems(installed via cfengine), for RHEL4/5 both 32-bit and 64-bit. Back when I had to support a Ruby on Rails environment I had to build another 30 packages for the same 4 different platforms (for a while it was 6 different platforms) from source tarballs(made into RPMs using alien).
Then there's custom drivers for the various kernels, e.g. for VMWare I build from source their drivers package for each kernel so I can push out a binary RPM along with the kernel RPM to provide correct drivers automatically, no need to re-run the configure script and I don't like to use their prebuilt binaries(no real reason, just prefer not to). Same goes for fiber channel card drivers, and for a while, I had to build/packge custom network(broadcom) and 3ware raid drivers since they weren't supported in the main kernels at the time. (inserting these drivers into the installation process was a pain..)
Am I on the right list? Not very much answers, so far...
Probably because there aren't any good answers. There's too many different preferences out there. For me rolling my own is fine for my CentOS/RHEL systems. For others, blindly using the "main" 3rd party repos is fine for them. Maybe for you, to lobby the distribution you prefer most(RHEL? since your on a CentOS list) to include the packages that you want(so they can then come down to CentOS).
Or perhaps take another approach - Don't pick the applications you want to use and then try to find someone to support them. Pick a base platform to use and build your system around the applications they support.
nate
On Wed, Jul 23, 2008 at 8:11 AM, Manuel Reimer Manuel.Reimer@gmx.de wrote:
I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs...
CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository...
Not sure why you *need* NTFS support to use/run VMWare Server...?
For NTFS support, I routinely download the latest CentOS release kernel sources and build it in, but you can also just build the module and use dkms to keep it up to date.
As for the availability of packages, well, some things come with a distribution and others don't. E.g., I like to use Seamonkey (instead of Firefox or other options), but I don't think it comes with any distribution, so I get it and install it separately. You just have to decide which is more important - the distro you like best, or the explosion of packages you want.
mhr
Manuel Reimer wrote:
"nate" wrote:
Security is pretty important for me too. For this, and other reasons I never point yum to 3rd party repositories. I only run CentOS/RHEL on servers. I run Debian on desktops(due to larger package selection and still long release cycles for stable). And usually Ubuntu on laptops(for more current hardware support).
Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago?
Well, that could have happened to anyone. In this case it happened to Debain. All DNS since the beginning of the internet has just been declared totally unsafe on Linux and Windows and Mac too, stuff happens.
Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want "Firefox" and *not* "Iceweasel".
Any server can be hacked ... Debian is a fine system, as are many others. What CentOS offers is long support lifetimes and a known base that many other enterprise things are desgined to run on because of the upstream provider. We won't engage in cutting down other distros ... ours is what it is and millions of people use it.
If security is a top priority, and you really want to use CentOS/RHEL, then don't use 3rd party packages, period. Otherwise I suggest you find a distro that supports the applications you wish to run directly or maintain them yourself.
I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs...
CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository...
CentOS is a direct rebuild of the package versions available from RHEL, that is our main purpose.
We do have some very minimal things is some other repositories called CentOS Extras and CentOSPlus ... but the purpose of those is usually to provide something that is not in the major 3rd party repos. We have no desire to duplicate the 3rd party repos.
And of course security/stability rarely means having the latest version.
Of course.
Am I on the right list? Not very much answers, so far...
There really are not any good answers ... RPMForge (Dag's repo) is a very good resource, but it is not part of CentOS.
There is also EPEL and ATrpms and KBS CentOS extras.
As others have said, if the 3rd party repos do not meet your requirements WRT security updates, then you will have to research and build your own.
Thanks, Johnny Hughes