[ale] Safe apt-get repositoris

James P. Kinney III jkinney at localnetsolutions.com
Fri Jun 18 17:05:00 EDT 2004 

On Fri, 2004-06-18 at 16:32, Bob Toxen wrote:
> On Fri, Jun 18, 2004 at 03:53:31PM -0400, Dow Hurst wrote:
> > I have finally had a chance to use apt-get on a RH9 workstation.  However, 
> > my question is how can you know that the repository is a safe one with 
> > binaries that are trustable?  Now, I am not asking how to secure a computer 
> > and I don't want to rehash how the only secure computer is one with no 
> > connections and so on ad infinitum....  ;-)
> 
> > I guess I am really asking where the best/safest repositories are for 
> > Redhat?
> Also, RedHat RPMs contain a cryptographic signature that RPM verifies.
> I'm not sure of all of the details regarding trusted keys.

RedHat ships their key with their CD's. It is installed by default now
that rpm defaults to checking GPG signatures. **Note** If the package
_has_no_signature_ rpm will install it anyway with the "No GPG
Signature" notice. Bad idea. What one MUST do is run rpm --verify
foo.rpm on every package before installation. It is required to get the
developer keys and install them on the keyring. As the GPG signature
happens during the build process, it is a good method of verifying that
the binaries came from where they claim their origin to be. 
> 
> > What are they for SuSE?
> 
> > Do people stray, when using Debian or Gentoo, to repositories outside of 
> > the normal distribution channels for packages not in the main Gentoo/Debian 
> > mirrors?
> > Dow
> 
> > -- 
> > __________________________________________________________
> > Dow Hurst                  Office: 770-499-3428            *
> > Systems Support Specialist    Fax: 770-423-6744            *
> > 1000 Chastain Rd. Bldg. 12                                 *
> > Chemistry Department SC428  Email:   dhurst at kennesaw.edu   *
> > Kennesaw State University         Dow.Hurst at mindspring.com *
> > Kennesaw, GA 30144                                         *
> > ************************************************************
> 
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
> 
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
> !DSPAM:40d35198205531620619764!
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list