[Yum] Re: Usernames, Passwords and yum

seth vidal skvidal at phy.duke.edu
Wed Jun 9 22:29:49 UTC 2004


On Wed, 2004-06-09 at 15:24 -0700, Brian wrote:
> My biggest concern over having company specific repos
> is that you set up a box with a open port that updates
> all your other boxes.  And you have no encryption
> through YUM.  If the FTP server is misconfigured in
> anyway, you have a serious security problem.   

why not use https connections? Yum, last time I checked, supports those.

Notably it does not check the validity of the cert from the ssl site b/c
python's urllib doesn't do this.However, it does support encrypted
connections, just not via ftp.


> If the YUM box is at all accessible outside of the
> company, then anyone can possibly modify your RPMs. 
> When you go and update, all your boxes now have the
> modified RPMs installed, which can create a company
> wide security problem. 
> 
umm this is what gpg signing and checking of packages is all about.

so if someone owns your repository they need to own your gpg key and
passphrase to truly compromise your systems for packages.

-sv





More information about the Yum mailing list