Hi,

Having read several forums, it is my understanding I can run Yum or APT-Rpm to update a particular Linux distribution and in my case Red Hat 9. However how do I which repository is safe to use to download updates?

Thanks.

Can't anyone help me with this questions?

If you are simply looking for package repositories, there are a number of defaults built into the yum client and there is also a list of "official" ones listed at the YUM website at Duke.

If you are asking "how do I know if these packages aren't tampered with" then there are a number of checks built into yum and rpm. The rpm itself has an md5 checksum which is verified before the package is installed. Of course someone could get around that by modifying the package and then replacing the one in the rpm with one that is valid for the modified package. This is where YUM actually goes one step further than RPM. With RPM the use of GPG key signing is optional. RPM will give you a warning, but still will install the package. With YUM, it will automatically retrieve the Redhat/Fedora GPG key and verify that the package has been correctly signed with the proper key.

I'm not that familiar with the inner workings of APT-RPM, but I would imaging they are pretty similar.

To be honest, I think you're at much lower risk using an automated package installer rather than depending on yourself to check vulnerability lists on a daily basis to make sure all packages are updated. Makes a world of difference to know that you have something like yum when the next Apache remote root vulnerability comes out and you happen to be on vacation that week

Capt_Caveman,

Thank you for your reply as well as providing an overview of how Yum differs from APT-Rpm. Based on your reply, I assume you are recommending that I go with Yum as opposed to APT-Rpm.

Honestly, I'm not that familiar with APT-RPM, so I can't really give you a fair comparison of the two. Obviously it will have the built-in security features of RPM, but I believe the enforcement of gpg key signed packages is optional. Your best bet will be took take a close look at the features of both and then make your decision based on which one suits your needs best

Capt_Caveman,

Thanks. Just a quick question. How does YUM to know where to download the required packages from and also who maintains those repositories?

The default servers are set in /etc/yum.conf, however you can change these to point to whatever rpm repository you wish. There are a number of alternatives listed at the yum website at Duke University. I believe the yum packages included with Redhat and Fedora have the Redhat or fedora.redhat repositories as their defaults. Obviously if you modify those defaults, you'd want to make sure that you are getting them from a reputable source.

Capt_Caveman,

Thank you. Which sites would you consider as being reputable?

Personally, I'd stick with the default rpm repositories at Redhat/Fedora.redhat . They seem to do a pretty good job of keeping their site secure (as far as I've heard).