FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-21-2008, 03:08 PM
"Manuel Reimer"
 
Default How to get additional packages? How secure is Yum?

Hello,

I'm coming from Slackware and I'm searching for another distribution to run on my desktop and in near future also on a server.

The *top priority* for me is security!

I've test-installed CentOS on one of my test systems. So far anything went OK. After trying a bit, I would like to ask some questions:

- What is the suggested way to get *secure and trusted* additional packages? I don't want packages packaged by "someone" who doesn't have the required experience and who doesn't do the packaging on a dedicated "build host" which isn't used for anything else than building packages.

I tried the Dag-Repository. Seems to be well done and as Dag is member of the CentOS-Staff, I think his packages are trustworthy. Unfortunately I'm unsure if they are secure. For example there is a Drupal package which is *out of date*! So there should either be an update or the package maybe should be removed at all as it is a security hole! Is there a repository available which only has that much packages as the maintainer is able to keep secure?

- My second question is about:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

Yum also seems to affected, so a malicious mirror would be able to downgrade a package on a server where it's suggested to be *upgraded* to a patched version.

When will Yum be fixed and what is the suggested way to get Yum more secure?

Thanks in advance for any answers.

Yours

Manuel
--
() ascii ribbon campaign - against html mail
/ - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion!
http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 03:16 PM
"Akemi Yagi"
 
Default How to get additional packages? How secure is Yum?

On Mon, Jul 21, 2008 at 8:08 AM, Manuel Reimer <Manuel.Reimer@gmx.de> wrote:

> - My second question is about:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

Please read: http://planet.centos.org/

Akemi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 03:35 PM
"nate"
 
Default How to get additional packages? How secure is Yum?

Manuel Reimer wrote:
> Hello,
>
> I'm coming from Slackware and I'm searching for another distribution to run
> on my desktop and in near future also on a server.
>
> The *top priority* for me is security!
>
> I've test-installed CentOS on one of my test systems. So far anything went
> OK. After trying a bit, I would like to ask some questions:
>
> - What is the suggested way to get *secure and trusted* additional packages?
> I don't want packages packaged by "someone" who doesn't have the required
> experience and who doesn't do the packaging on a dedicated "build host"
> which isn't used for anything else than building packages.

Security is pretty important for me too. For this, and other reasons
I never point yum to 3rd party repositories. I only run CentOS/RHEL
on servers. I run Debian on desktops(due to larger package selection
and still long release cycles for stable). And usually Ubuntu on
laptops(for more current hardware support).

With that in mind, the 3rd party packages I get I inspect the version
numbers by hand, and I build the source rpms myself, and install them
via RPM (not via yum). I use a lot of src rpms from Dag's site for
example. There aren't many 3rd party packages that are installed that
are remotely accessible, and my systems have only trusted local users.
Due to this I don't need to update the 3rd party packages very often
(some, such as perl modules I don't even update).

To-date anyways it has provided me with minimal hassle. There is some
extra work up front building packages, depending on the size of
your environment(mine is several hundred systems), the extra work is
well worth it.

If security is a top priority, and you really want to use CentOS/RHEL,
then don't use 3rd party packages, period. Otherwise I suggest you
find a distro that supports the applications you wish to run directly
or maintain them yourself.

And of course security/stability rarely means having the latest version.

nate

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-23-2008, 03:11 PM
"Manuel Reimer"
 
Default How to get additional packages? How secure is Yum?

"nate" wrote:
> Security is pretty important for me too. For this, and other reasons
> I never point yum to 3rd party repositories. I only run CentOS/RHEL
> on servers. I run Debian on desktops(due to larger package selection
> and still long release cycles for stable). And usually Ubuntu on
> laptops(for more current hardware support).

Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago?

Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want "Firefox" and *not* "Iceweasel".

> If security is a top priority, and you really want to use CentOS/RHEL,
> then don't use 3rd party packages, period. Otherwise I suggest you
> find a distro that supports the applications you wish to run directly
> or maintain them yourself.

I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs...

CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository...

> And of course security/stability rarely means having the latest version.

Of course.

Am I on the right list? Not very much answers, so far...

CU

Manuel
--
() ascii ribbon campaign - against html mail
/ - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-23-2008, 03:35 PM
"nate"
 
Default How to get additional packages? How secure is Yum?

Manuel Reimer wrote:
> Debian? Didn't they have a *pretty* dangerous hold in their SSL packages
> just some weeks ago?

Yeah, fortunately I wasn't really affected, my systems weren't upgraded
to the affected packages. (I didn't upgrade to the latest stable until
fairly recently). Shit happens, nobody is perfect. But the fact remains
that it's still supported by someone. I don't advocate debian for everyone
I was just giving an example of a distribution that has long release
cycles similar to RHEL, and a much wider selection of packages that are
actively supported by the base vendor.

> Especially if it gets to security, I don't think that Debian is a good
> solution. AFAIR they also got their servers hacked several times for several
> different reasons. Not very trustworthy, IMHO. And those political
> discussions *suck*! For example I want "Firefox" and *not* "Iceweasel".

Then don't use iceweasel, download firefox and install it yourself. It's
not hard. I don't really care either way but I do like the fact that
they back port security fixes. I did that for years myself, back in the
early firefox and phoenix days. I haven't been on a debian mailing list
in 5-6 years so haven't seen the political stuff, but still I didn't
really care back then either.

> I'm searching for a distribution for several *months* now and so far I
> couldn't find something that fits my needs...

Maybe time to roll your own

> CentOS seems to be pretty well done, but the amount of packages that is
> delivered with it definetly doesn't fit all needs. Today, I tried to set up
> a server with CentOS (VMWare server). Worked pretty well, but for installing
> the NTFS driver, I had to import the rpmforge repository...

I agree, that's one of my main "complaints" about RHEL is the lack of
packages. I checked and I have about 55 source rpms that I custom build
to install on my systems(installed via cfengine), for RHEL4/5 both
32-bit and 64-bit. Back when I had to support a Ruby on Rails environment
I had to build another 30 packages for the same 4 different platforms
(for a while it was 6 different platforms) from source tarballs(made
into RPMs using alien).

Then there's custom drivers for the various kernels, e.g. for VMWare
I build from source their drivers package for each kernel so I can push
out a binary RPM along with the kernel RPM to provide correct drivers
automatically, no need to re-run the configure script and I don't like
to use their prebuilt binaries(no real reason, just prefer not to).
Same goes for fiber channel card drivers, and for a while, I had to
build/packge custom network(broadcom) and 3ware raid drivers since
they weren't supported in the main kernels at the time. (inserting
these drivers into the installation process was a pain..)

> Am I on the right list? Not very much answers, so far...

Probably because there aren't any good answers. There's too many
different preferences out there. For me rolling my own is fine for
my CentOS/RHEL systems. For others, blindly using the "main" 3rd
party repos is fine for them. Maybe for you, to lobby the distribution
you prefer most(RHEL? since your on a CentOS list) to include the
packages that you want(so they can then come down to CentOS).

Or perhaps take another approach - Don't pick the applications you
want to use and then try to find someone to support them. Pick a
base platform to use and build your system around the applications
they support.

nate


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-23-2008, 05:55 PM
MHR
 
Default How to get additional packages? How secure is Yum?

On Wed, Jul 23, 2008 at 8:11 AM, Manuel Reimer <Manuel.Reimer@gmx.de> wrote:
>
> I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs...
>
> CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository...
>

Not sure why you *need* NTFS support to use/run VMWare Server...?

For NTFS support, I routinely download the latest CentOS release
kernel sources and build it in, but you can also just build the module
and use dkms to keep it up to date.

As for the availability of packages, well, some things come with a
distribution and others don't. E.g., I like to use Seamonkey (instead
of Firefox or other options), but I don't think it comes with any
distribution, so I get it and install it separately. You just have to
decide which is more important - the distro you like best, or the
explosion of packages you want.

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-23-2008, 08:20 PM
Johnny Hughes
 
Default How to get additional packages? How secure is Yum?

Manuel Reimer wrote:

"nate" wrote:

Security is pretty important for me too. For this, and other reasons
I never point yum to 3rd party repositories. I only run CentOS/RHEL
on servers. I run Debian on desktops(due to larger package selection
and still long release cycles for stable). And usually Ubuntu on
laptops(for more current hardware support).


Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago?



Well, that could have happened to anyone. In this case it happened to
Debain. All DNS since the beginning of the internet has just been
declared totally unsafe on Linux and Windows and Mac too, stuff happens.



Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want "Firefox" and *not* "Iceweasel".



Any server can be hacked ... Debian is a fine system, as are many
others. What CentOS offers is long support lifetimes and a known base
that many other enterprise things are desgined to run on because of the
upstream provider. We won't engage in cutting down other distros ...
ours is what it is and millions of people use it.



If security is a top priority, and you really want to use CentOS/RHEL,
then don't use 3rd party packages, period. Otherwise I suggest you
find a distro that supports the applications you wish to run directly
or maintain them yourself.


I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs...

CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository...



CentOS is a direct rebuild of the package versions available from RHEL,
that is our main purpose.


We do have some very minimal things is some other repositories called
CentOS Extras and CentOSPlus ... but the purpose of those is usually to
provide something that is not in the major 3rd party repos. We have no
desire to duplicate the 3rd party repos.




And of course security/stability rarely means having the latest version.


Of course.

Am I on the right list? Not very much answers, so far...



There really are not any good answers ... RPMForge (Dag's repo) is a
very good resource, but it is not part of CentOS.


There is also EPEL and ATrpms and KBS CentOS extras.

As others have said, if the 3rd party repos do not meet your
requirements WRT security updates, then you will have to research and
build your own.


Thanks,
Johnny Hughes

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org