[CentOS] How to get additional packages? How secure is Yum?
Hello, I'm coming from Slackware and I'm searching for another distribution to run on my desktop and in near future also on a server. The *top priority* for me is security! I've test-installed CentOS on one of my test systems. So far anything went OK. After trying a bit, I would like to ask some questions: - What is the suggested way to get *secure and trusted* additional packages? I don't want packages packaged by "someone" who doesn't have the required experience and who doesn't do the packaging on a dedicated "build host" which isn't used for anything else than building packages. I tried the Dag-Repository. Seems to be well done and as Dag is member of the CentOS-Staff, I think his packages are trustworthy. Unfortunately I'm unsure if they are secure. For example there is a Drupal package which is *out of date*! So there should either be an update or the package maybe should be removed at all as it is a security hole! Is there a repository available which only has that much packages as the maintainer is able to keep secure? - My second question is about: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html Yum also seems to affected, so a malicious mirror would be able to downgrade a package on a server where it's suggested to be *upgraded* to a patched version. When will Yum be fixed and what is the suggested way to get Yum more secure? Thanks in advance for any answers. Yours Manuel -- () ascii ribbon campaign - against html mail /\- gegen HTML-Mail answers as html mail will be deleted automatically! Antworten als HTML-Mail werden automatisch gelöscht! GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion! http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to get additional packages? How secure is Yum?
"nate" wrote: > Security is pretty important for me too. For this, and other reasons > I never point yum to 3rd party repositories. I only run CentOS/RHEL > on servers. I run Debian on desktops(due to larger package selection > and still long release cycles for stable). And usually Ubuntu on > laptops(for more current hardware support). Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago? Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want "Firefox" and *not* "Iceweasel". > If security is a top priority, and you really want to use CentOS/RHEL, > then don't use 3rd party packages, period. Otherwise I suggest you > find a distro that supports the applications you wish to run directly > or maintain them yourself. I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs... CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository... > And of course security/stability rarely means having the latest version. Of course. Am I on the right list? Not very much answers, so far... CU Manuel -- () ascii ribbon campaign - against html mail /\- gegen HTML-Mail answers as html mail will be deleted automatically! Antworten als HTML-Mail werden automatisch gelöscht! GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/[EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
