[ale] Safe apt-get repositoris

Bob Toxen bob at verysecurelinux.com
Fri Jun 18 16:22:24 EDT 2004 

On Fri, Jun 18, 2004 at 03:53:31PM -0400, Dow Hurst wrote:
> I have finally had a chance to use apt-get on a RH9 workstation.  However, 
> my question is how can you know that the repository is a safe one with 
> binaries that are trustable?  Now, I am not asking how to secure a computer 
> and I don't want to rehash how the only secure computer is one with no 
> connections and so on ad infinitum....  ;-)

> I guess I am really asking where the best/safest repositories are for 
> Redhat?

> What are they for SuSE?
Trust only from known places such as the primary sites and mirrors obtained
as links from them and other well-known sites such as GA Tech and Ibiblio.
Increase your confidence by using any or all of:

  1. Download from more than one site and compare the md5sum or sha1sum
     results.

  2. Verify the PGP signatures (and the validity of the certificate).
     Btw, trusting the MD5 or SHA1 sum obtained from the same site as
     the software was downloaded from is NOT good security.  If the
     site is compromised, it is trivial to compromise the MD5 or SHA1
     sum.

     The PGP signature is much harder to compromise IF its maintainer
     uses good security, such as keeping the secret certificate off
     the Internet, etc.

  3. Wait a week or two after obtaining the download and then check back
     on the site and see if they announce any recent compromises or if
     you hear of any from suitable news groups.

> Do people stray, when using Debian or Gentoo, to repositories outside of 
> the normal distribution channels for packages not in the main Gentoo/Debian 
> mirrors?
> Dow

> -- 
> __________________________________________________________
> Dow Hurst                  Office: 770-499-3428            *
> Systems Support Specialist    Fax: 770-423-6744            *
> 1000 Chastain Rd. Bldg. 12                                 *
> Chemistry Department SC428  Email:   dhurst at kennesaw.edu   *
> Kennesaw State University         Dow.Hurst at mindspring.com *
> Kennesaw, GA 30144                                         *
> ************************************************************

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

More information about the Ale mailing list