Yum is great, but do you trust them?

[Bevan C. Bennett]

Dan Stoner wrote:

> I think yum is a great tool for easing the install and update of
> packages.  However, I'm a little concerned about the security of getting
> patches this way, especially with the recommendations of changing the
> yum.conf to include servers that are "closer."
> 
> Would anyone do this on a server?

Absolutely.

 > Would you trust the core repository more than the mirrors?

Not neccessarily, although mirrors may lag behind by a few days.
As long as you require a good GPG signature, and are careful about 
installing keys you trust, you should be safe no matter where the 
package comes from.

> Am I crazy even for considering Fedora for a server installation?

Not at all.

> After installing Fedora Core 1 and running yum update, some of the
> package updates display "MD5 digest: BAD".  Apparently, these packages 
> did not have the expected checksums.  I believe they installed anyway.

That doesn't sound good. A bad md5 digest usually means a corrupt or 
incomplete download... not something you want installed. Are you sure 
they installed? My yum has been very good (even annoying at times) about 
not installing any package files that don't 'seem right'.

> My initial response was to freak out about this, but some other linux
> jockies I spoke with said "no, that's normal, I see that all the time.".

Tying this back to your earlier question, people seem to have a lot more 
incomplete or corrupt downloads when using the core repository. In this 
respect, I trust the mirrors -more- than the core.