LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-29-2004, 11:08 PM   #1
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Rep: Reputation: 30
Question Yum & APT-Rpm


Hi,

Having read several forums, it is my understanding I can run Yum or APT-Rpm to update a particular Linux distribution and in my case Red Hat 9. However how do I which repository is safe to use to download updates?

Thanks.
 
Old 08-01-2004, 08:17 PM   #2
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Can't anyone help me with this questions?
 
Old 08-01-2004, 11:52 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If you are simply looking for package repositories, there are a number of defaults built into the yum client and there is also a list of "official" ones listed at the YUM website at Duke.

If you are asking "how do I know if these packages aren't tampered with" then there are a number of checks built into yum and rpm. The rpm itself has an md5 checksum which is verified before the package is installed. Of course someone could get around that by modifying the package and then replacing the one in the rpm with one that is valid for the modified package. This is where YUM actually goes one step further than RPM. With RPM the use of GPG key signing is optional. RPM will give you a warning, but still will install the package. With YUM, it will automatically retrieve the Redhat/Fedora GPG key and verify that the package has been correctly signed with the proper key.

I'm not that familiar with the inner workings of APT-RPM, but I would imaging they are pretty similar.

To be honest, I think you're at much lower risk using an automated package installer rather than depending on yourself to check vulnerability lists on a daily basis to make sure all packages are updated. Makes a world of difference to know that you have something like yum when the next Apache remote root vulnerability comes out and you happen to be on vacation that week
 
Old 08-02-2004, 06:30 PM   #4
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Capt_Caveman,

Thank you for your reply as well as providing an overview of how Yum differs from APT-Rpm. Based on your reply, I assume you are recommending that I go with Yum as opposed to APT-Rpm.
 
Old 08-02-2004, 10:10 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Honestly, I'm not that familiar with APT-RPM, so I can't really give you a fair comparison of the two. Obviously it will have the built-in security features of RPM, but I believe the enforcement of gpg key signed packages is optional. Your best bet will be took take a close look at the features of both and then make your decision based on which one suits your needs best
 
Old 08-02-2004, 11:41 PM   #6
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Capt_Caveman,

Thanks. Just a quick question. How does YUM to know where to download the required packages from and also who maintains those repositories?
 
Old 08-03-2004, 08:47 AM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The default servers are set in /etc/yum.conf, however you can change these to point to whatever rpm repository you wish. There are a number of alternatives listed at the yum website at Duke University. I believe the yum packages included with Redhat and Fedora have the Redhat or fedora.redhat repositories as their defaults. Obviously if you modify those defaults, you'd want to make sure that you are getting them from a reputable source.
 
Old 08-03-2004, 09:03 PM   #8
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Capt_Caveman,

Thank you. Which sites would you consider as being reputable?
 
Old 08-06-2004, 12:04 AM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by Obie
Which sites would you consider as being reputable?
Personally, I'd stick with the default rpm repositories at Redhat/Fedora.redhat . They seem to do a pretty good job of keeping their site secure (as far as I've heard).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rpm -e & yum -remove. Easy questions. rickh Fedora 10 12-26-2005 11:46 AM
apt & yum TranceDude Linux - Software 2 08-16-2005 01:29 PM
yum & apt TranceDude Linux - Software 1 08-12-2005 01:56 PM
How do I tell yum/apt/rpm that I have hand built and installed apache/mysql/php BigDave Linux - Software 1 04-14-2005 03:51 PM
RedHat 9 & apt-rpm repositories ghight Linux - Software 2 04-11-2003 01:27 PM


All times are GMT -5. The time now is 12:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration