pretty up2date vs reliable yum?

James Wilkinson james at westexe.demon.co.uk
Wed Jan 26 01:57:21 UTC 2005 

Scot L. Harris wrote:
> IMHO automatic updates may be fine for home users, and for home users
> should probably be the default.  But for production level
> systems/servers I would never permit automatic updates.  First problem
> is having an updated package knock your service down or worse cause your
> system to lose data.  Second problem is security.  If the particular
> mirror being used happens to get compromised then you could have dozens
> if not hundreds of systems running trojan software which reports back to
> the person that compromised the mirror.

That's been thought about, and there is a mechanism in place to stop it
happening.

Assuming that you actually imported the right GPG keys, and still have
gpgcheck=1 in your /etc/yum.conf, then there is no way for an attacker
to generate packages that your system will accept unless they have a
copy of the *private* key corresponding to one you installed.

The whole point of the GPG key palaver is to prevent rogue mirrors and
other errors in transmission.

> Taking a few minutes to review security updates and package updates is
> worth it.

I thoroughly agree (assuming the reviewer has the basic IT competence to
understand the notifications).

> In a true production environment one would never auto update
> the production system.  Such changes would be done on a staging
> environment and testing performed to make sure everything works as
> expected.  Then a planned roll out of the updates can be scheduled.

I wish!

*Lots* of (usually small) companies will try "fire and forget" with
their servers, be they Windows, Linux, or whatever. They may not *have*
an IT staff, and decide that they will only get someone in to set up new
systems or when there is a problem.

In such cases, the only rational thing for the installer to do is to
completely firewall the server (not exactly possible for e-mail
servers...) or to trust the auto-update.

James.
-- 
James Wilkinson       | After all, all he did was string together a lot
Exeter    Devon    UK | of old, well-known quotations.
E-mail address: james |     -- H.L. Mencken, on Shakespeare
@westexe.demon.co.uk  |

More information about the users mailing list