Re: Yum is great, but do you trust them?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dan Stoner said:
> Hi,
>
> I think yum is a great tool for easing the install and update of
> packages.  However, I'm a little concerned about the security of getting
> patches this way, especially with the recommendations of changing the
> yum.conf to include servers that are "closer."

That's why the packages are GPG signed.  If you don't trust the Fedora
Project's GPG key... then why did you install the distro :-)  Anyone know
if gpgcheck is defaulted to 1 or do you have to specify it?

[snip]
> After installing Fedora Core 1 and running yum update, some of the
> package updates display "MD5 digest: BAD".  Apparently, these packages
> did not have the expected checksums.  I believe they installed anyway.

I think you should check.  I think you will find either they were:
redownloaded and the next download wasn't corrupted or not installed.

> My initial response was to freak out about this, but some other linux
> jockies I spoke with said "no, that's normal, I see that all the time.".

This is because they are not smart enough to use mirrors.  The extra load
on the main mirror is what causes some of these corrupt downloads in the
first place.

-- 
William Hooper




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux