Yum is great, but do you trust them?
William Hooper
whooperhsd3 at earthlink.net
Tue Feb 10 21:22:03 UTC 2004
Dan Stoner said:
> Hi,
>
> I think yum is a great tool for easing the install and update of
> packages. However, I'm a little concerned about the security of getting
> patches this way, especially with the recommendations of changing the
> yum.conf to include servers that are "closer."
That's why the packages are GPG signed. If you don't trust the Fedora
Project's GPG key... then why did you install the distro :-) Anyone know
if gpgcheck is defaulted to 1 or do you have to specify it?
[snip]
> After installing Fedora Core 1 and running yum update, some of the
> package updates display "MD5 digest: BAD". Apparently, these packages
> did not have the expected checksums. I believe they installed anyway.
I think you should check. I think you will find either they were:
redownloaded and the next download wasn't corrupted or not installed.
> My initial response was to freak out about this, but some other linux
> jockies I spoke with said "no, that's normal, I see that all the time.".
This is because they are not smart enough to use mirrors. The extra load
on the main mirror is what causes some of these corrupt downloads in the
first place.
--
William Hooper
More information about the users
mailing list