[CentOS] How to get additional packages? How secure is Yum?

Wed Jul 23 20:20:00 UTC 2008
Johnny Hughes <johnny at centos.org>

Manuel Reimer wrote:
> "nate" wrote:
>> Security is pretty important for me too. For this, and other reasons
>> I never point yum to 3rd party repositories. I only run CentOS/RHEL
>> on servers. I run Debian on desktops(due to larger package selection
>> and still long release cycles for stable). And usually Ubuntu on
>> laptops(for more current hardware support).
> 
> Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago?
> 

Well, that could have happened to anyone.  In this case it happened to 
Debain.  All DNS since the beginning of the internet has just been 
declared totally unsafe on Linux and Windows and Mac too, stuff happens.

> Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want "Firefox" and *not* "Iceweasel".
> 

Any server can be hacked ... Debian is a fine system, as are many 
others.  What CentOS offers is long support lifetimes and a known base 
that many other enterprise things are desgined to run on because of the 
upstream provider.  We won't engage in cutting down other distros ... 
ours is what it is and millions of people use it.

>> If security is a top priority, and you really want to use CentOS/RHEL,
>> then don't use 3rd party packages, period. Otherwise I suggest you
>> find a distro that supports the applications you wish to run directly
>> or maintain them yourself.
> 
> I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs...
> 
> CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository...
>

CentOS is a direct rebuild of the package versions available from RHEL, 
that is our main purpose.

We do have some very minimal things is some other repositories called 
CentOS Extras and CentOSPlus ... but the purpose of those is usually to 
provide something that is not in the major 3rd party repos.  We have no 
  desire to duplicate the 3rd party repos.


>> And of course security/stability rarely means having the latest version.
> 
> Of course.
> 
> Am I on the right list? Not very much answers, so far...
> 

There really are not any good answers ... RPMForge (Dag's repo) is a 
very good resource, but it is not part of CentOS.

There is also EPEL and ATrpms and KBS CentOS extras.

As others have said, if the 3rd party repos do not meet your 
requirements WRT security updates, then you will have to research and 
build your own.

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080723/43cfd196/attachment-0005.sig>