Yum is great, but do you trust them?
Bevan C. Bennett
bevan at fulcrummicro.com
Wed Feb 11 00:56:36 UTC 2004
Dan Stoner wrote:
> I think yum is a great tool for easing the install and update of
> packages. However, I'm a little concerned about the security of getting
> patches this way, especially with the recommendations of changing the
> yum.conf to include servers that are "closer."
>
> Would anyone do this on a server?
Absolutely.
> Would you trust the core repository more than the mirrors?
Not neccessarily, although mirrors may lag behind by a few days.
As long as you require a good GPG signature, and are careful about
installing keys you trust, you should be safe no matter where the
package comes from.
> Am I crazy even for considering Fedora for a server installation?
Not at all.
> After installing Fedora Core 1 and running yum update, some of the
> package updates display "MD5 digest: BAD". Apparently, these packages
> did not have the expected checksums. I believe they installed anyway.
That doesn't sound good. A bad md5 digest usually means a corrupt or
incomplete download... not something you want installed. Are you sure
they installed? My yum has been very good (even annoying at times) about
not installing any package files that don't 'seem right'.
> My initial response was to freak out about this, but some other linux
> jockies I spoke with said "no, that's normal, I see that all the time.".
Tying this back to your earlier question, people seem to have a lot more
incomplete or corrupt downloads when using the core repository. In this
respect, I trust the mirrors -more- than the core.
More information about the fedora-list
mailing list