Dan Stoner wrote:
I think yum is a great tool for easing the install and update of packages. However, I'm a little concerned about the security of getting patches this way, especially with the recommendations of changing the yum.conf to include servers that are "closer."
Would anyone do this on a server?
Absolutely.
> Would you trust the core repository more than the mirrors?
Not neccessarily, although mirrors may lag behind by a few days.
As long as you require a good GPG signature, and are careful about installing keys you trust, you should be safe no matter where the package comes from.
Am I crazy even for considering Fedora for a server installation?
Not at all.
After installing Fedora Core 1 and running yum update, some of the
package updates display "MD5 digest: BAD". Apparently, these packages did not have the expected checksums. I believe they installed anyway.
That doesn't sound good. A bad md5 digest usually means a corrupt or incomplete download... not something you want installed. Are you sure they installed? My yum has been very good (even annoying at times) about not installing any package files that don't 'seem right'.
My initial response was to freak out about this, but some other linux jockies I spoke with said "no, that's normal, I see that all the time.".
Tying this back to your earlier question, people seem to have a lot more incomplete or corrupt downloads when using the core repository. In this respect, I trust the mirrors -more- than the core.
