Simon says: (I bet you get that waaaay too often) > I'm concerned that installing the yum rpm sets up a yum.conf file that > points to duke.edu, and a cron job to run it. Note that the cron job doesn't do anything unless you start the yum service. > If anyone should crack the duke yum repository, installing a > trojan rpm > of, say, glibc with an updated version number, then every system that > has ever installed yum and not disabled the duke url would be cracked > that night when the cron job runs. Yup.</pun> > I suggest the yum rpm be modified so: > * it doesn't set up the cron job by default Look at the cron job. It might be a loaded gun, but the safety is definitely on. You have to manually take some sort of action (i.e. starting the yum service) to make the cron job actually do anything. > * the yum.conf file has all servers commented out. I'm of mixed feelings on this. Of course, I'm rolling my own yum RPM's for corporate use, but in a general sense most people are *idiots*. Commenting out the servers would instantly reveal how many idiots are running Linux. Some of them will even post to this mailing list from time to time complaining that "yum update" doesn't work. Even installing yum at all implies some great level of trust in Seth et al. His code is trusted to fsck with your RPM database, regardless of what repository you use. That said, the poor Duke server sounds like it is taking an awful beating. I don't think it would be inappropriate to put in additional sources. > Alternatively, rpm signing could be enabled instead: > * run "gpg --install /usr/share/rhn/RPM-GPG-KEY" > * have the yum.conf file always set gpgcheck=1 > This would at least ensure that if a cracker installed a trojan in the > duke yum repository, it would be rejected due to invalid signature. GPG checking should always be enabled for the Red Hat base and update repositories. I thought it was on by default but like I said I'm not using the default RPM's. Unfortunately the yum.conf man page currently doesn't seem to expound on whether this is on by default or not if not explicitly set.
