pretty up2date vs reliable yum?
James Wilkinson
james at westexe.demon.co.uk
Wed Jan 26 01:57:21 UTC 2005
Scot L. Harris wrote:
> IMHO automatic updates may be fine for home users, and for home users
> should probably be the default. But for production level
> systems/servers I would never permit automatic updates. First problem
> is having an updated package knock your service down or worse cause your
> system to lose data. Second problem is security. If the particular
> mirror being used happens to get compromised then you could have dozens
> if not hundreds of systems running trojan software which reports back to
> the person that compromised the mirror.
That's been thought about, and there is a mechanism in place to stop it
happening.
Assuming that you actually imported the right GPG keys, and still have
gpgcheck=1 in your /etc/yum.conf, then there is no way for an attacker
to generate packages that your system will accept unless they have a
copy of the *private* key corresponding to one you installed.
The whole point of the GPG key palaver is to prevent rogue mirrors and
other errors in transmission.
> Taking a few minutes to review security updates and package updates is
> worth it.
I thoroughly agree (assuming the reviewer has the basic IT competence to
understand the notifications).
> In a true production environment one would never auto update
> the production system. Such changes would be done on a staging
> environment and testing performed to make sure everything works as
> expected. Then a planned roll out of the updates can be scheduled.
I wish!
*Lots* of (usually small) companies will try "fire and forget" with
their servers, be they Windows, Linux, or whatever. They may not *have*
an IT staff, and decide that they will only get someone in to set up new
systems or when there is a problem.
In such cases, the only rational thing for the installer to do is to
completely firewall the server (not exactly possible for e-mail
servers...) or to trust the auto-update.
James.
--
James Wilkinson | After all, all he did was string together a lot
Exeter Devon UK | of old, well-known quotations.
E-mail address: james | -- H.L. Mencken, on Shakespeare
@westexe.demon.co.uk |
More information about the fedora-list
mailing list