On Tue, 15 Sep 2009, Jan Muhammad wrote:
Hi Group, I am setting up my local Yum repository for testing purposes where I have 3 packages(A,B & C) to be pushed onto my clients. Before the server pushes or clients pull those packages, is there any way to verify the integrity of these packages from any trusted patch source such as Microsoft,Sun or NVD to make sure these do not have any vulnerabilities or compare them with CVE list.
You're deploying pkgs from Microsoft and Sun on a system that uses rpms? I think you've just made my brain hurt.
Is there any way to test/verify my Yum repository to make sure it is up-to-date and does not contain any vulnerable package?
Are the pkgs YOUR pkgs that you built or are they from a vendor? If they are from a vendor -you can verify where they are from by the gpg signature on the package, which you can check.
As to verifying if the pkg supplies fixes for various bugs - thats up to your vendor. I don't know how yum would go about verifying that claim other than just assuming whatever metadata is in the pkg is true. What would you want yum to verify against?
Maybe I don't quite understand the problem you're trying to solve.. -sv
_______________________________________________ Yum mailing list Yum@xxxxxxxxxxxxxxxxx http://lists.baseurl.org/mailman/listinfo/yum
