Hi, let's say we want to update Red Hat 6 packages on our servers on a private corporate network. Ansible is a good way to to this. We would have a yml file that has a line that says

yum: update=latest

and a host file with a list of servers to update.

My question is, where are these packages coming from? If it's from Red Hat, is this secure? What about satellite server - do we still need this? Is this free now -- used to be $$$.

What solutions do you have at your organizations for "patch management"?

Many thanks for your answers!

The patches are build by Red Hat.
These patches are synchronized to the mirror servers.
It is a good idea to download the patches from a nearby and fast server.

It is a good idea to setup a local mirror server in your network.
This saves download volume and is faster.

Then the servers can download the patches from the local mirror server.

Redhat patches are signed, a way to verify where they're coming from

Does Red Hat encrypt packages being sent to users? If I yum from a Red Hat repo at Red Hat, are those packages encrypted?

Why would they do that? Is there something secret in Redhat packages?

Because anything being pushed over the Internet is subject to tampering and intrusion. That's why you have a local repository of packages - security. If the push is encrypted, you're better off.

If you can verify the package signature, why the package should be encrypted if it doesn't contain secret data?

https://access.redhat.com/documentat...k-rpm-sig.html

Because not everyone verifies the package signature. Encryption / decryption eliminates that step.

Isn't signature automatically checked when you install the patch? Sorry for asking but I'm not familiar with Redhat

Package Managers do.