Hi, I'm concerned that installing the yum rpm sets up a yum.conf file that points to duke.edu, and a cron job to run it. If anyone should crack the duke yum repository, installing a trojan rpm of, say, glibc with an updated version number, then every system that has ever installed yum and not disabled the duke url would be cracked that night when the cron job runs. In fact, it's just as well we trust you, Seth; you could own a whole lot of linux boxes very quickly if you should wish to :-) I suggest the yum rpm be modified so: * it doesn't set up the cron job by default * the yum.conf file has all servers commented out. Alternatively, rpm signing could be enabled instead: * run "gpg --install /usr/share/rhn/RPM-GPG-KEY" * have the yum.conf file always set gpgcheck=1 This would at least ensure that if a cracker installed a trojan in the duke yum repository, it would be rejected due to invalid signature. Thoughts? Regards, Simon
