rhn and apt-get (was Re: a few questions about RH9.0)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am including some of the original conversation just to keep things in perspective. I was the one who made the "no worries" comment. I used no worries a bit loosely but I will explain what I was thinking (right or wrong you can decide). I'm not trying to get flamed or anything, I just don't think I explained myself well.

>>> // personal comment follows
>>> The rhnsd runs as root, basically that means Redhat have root-access
>>> to my system... Luckily they're not M$... And logged into the
>>> redhat-network on the web I can trigger software installs/uninstalls
>>> on my system...

This is the part I was getting addressing most. It seems that using RHN leaves a possiblity to trigger actions as root over the Internet through a web interface. I don't know for sure but I am not aware of anything like this with apt-get.

>>> Very nice, well, trust RH 100%, or keep ur system up to date
>>> manually...

>> RHN provides some nice features if you need to use them.  But most
>> people don't need them.  Use apt-get/synaptic and have no worries.

> Use apt-get and let someone else have root access on your machine. You
> are aware that every rpm you install can contain scripts which run as
> root? It's just a question of who you trust more, Red Hat or the
> freshrpms (+ every other apt source you specify) people...

Any time you are installing software not developed by your personally you are letting someone else have root on your machine. You get to choose who you allow packages from with apt-get and it is very easy to setup your own private repository. From my experience it is much more of a pain to set up your own private up2date server.

> I'm not trying to make freshrpms look bad, as I'm a happy user myself
> but I triggered on the "no worries" a few posts back. I think everyone
> should at least make a conscious decision before adding "untrusted"
> binaries to their system.

The freshrpms repository offers mirrored packages from redhat in addition to their own custom packages. I did add one apt-source that screwed some things up. The way they named their packages ended up updateing current software with old software (not freshrpms though). So it is very true that you need to be conscious about what binaries you trust.

> Anyway, I tend to trust Redhat a bit more since they have commercial
> interests in keeping their distribution "clean". I don't expect
> anybody in the open-source community trying to install back doors on
> systems, but who guarantees some rpm server far away won't be
> hacked into?

Also true.

Sorry to strike a nerve with some people.

Security issues or not, if you are looking for a nice flexible package manager give apt-get a try.





[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux