[ale] Safe apt-get repositoris
Bob Toxen
bob at verysecurelinux.com
Fri Jun 18 16:22:24 EDT 2004
On Fri, Jun 18, 2004 at 03:53:31PM -0400, Dow Hurst wrote:
> I have finally had a chance to use apt-get on a RH9 workstation. However,
> my question is how can you know that the repository is a safe one with
> binaries that are trustable? Now, I am not asking how to secure a computer
> and I don't want to rehash how the only secure computer is one with no
> connections and so on ad infinitum.... ;-)
> I guess I am really asking where the best/safest repositories are for
> Redhat?
> What are they for SuSE?
Trust only from known places such as the primary sites and mirrors obtained
as links from them and other well-known sites such as GA Tech and Ibiblio.
Increase your confidence by using any or all of:
1. Download from more than one site and compare the md5sum or sha1sum
results.
2. Verify the PGP signatures (and the validity of the certificate).
Btw, trusting the MD5 or SHA1 sum obtained from the same site as
the software was downloaded from is NOT good security. If the
site is compromised, it is trivial to compromise the MD5 or SHA1
sum.
The PGP signature is much harder to compromise IF its maintainer
uses good security, such as keeping the secret certificate off
the Internet, etc.
3. Wait a week or two after obtaining the download and then check back
on the site and see if they announce any recent compromises or if
you hear of any from suitable news groups.
> Do people stray, when using Debian or Gentoo, to repositories outside of
> the normal distribution channels for packages not in the main Gentoo/Debian
> mirrors?
> Dow
> --
> __________________________________________________________
> Dow Hurst Office: 770-499-3428 *
> Systems Support Specialist Fax: 770-423-6744 *
> 1000 Chastain Rd. Bldg. 12 *
> Chemistry Department SC428 Email: dhurst at kennesaw.edu *
> Kennesaw State University Dow.Hurst at mindspring.com *
> Kennesaw, GA 30144 *
> ************************************************************
Bob Toxen
bob at verysecurelinux.com [Please use for email to me]
http://www.verysecurelinux.com [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
"Microsoft: Unsafe at any clock speed!"
-- Bob Toxen 10/03/2002
More information about the Ale
mailing list