Hi Joe, Thank you for your answers! May I conclude that is is safe to accept gnupg keys from repositories in yast2 -> Community Repositories ? What do you mean with "the packages... are signed and checked independently"? Does this mean the repo owner checks the packages for vulnerabilities and yast only checks if the contents matches with the signature of the repo owner? Which trusted sources for (source) rpm's do you recommend? Thanks again. Regard, Aniruddha On Mon, 2007-10-08 at 19:41 +0800, Joe Morris (NTM) wrote:
On 10/08/2007 07:21 PM, Aniruddha wrote:
Coming from Gentoo I wonder how do I keep openSUSE secure (e.g. for rootkits)? In Gentoo there is one repository with 11.000+ packages which are all checked for vulnerabilities and verified with shasum.
In contrast openSUSE has many different repositories (Packman, Guru etc). I assume these are trusted resources. How can I tell if these rpm's are tampered with?
use Yast to install your packages. It checks the gpg signatures to verify every package installed.
How do I safely use the gnupg key system for repositories? repository files are signed as well as each package. These are also checked by Yast. Is accepting these keys when adding repositories with yast the preferred way? Depends on your paranoia. You could also check the authenticity before accepting, but remember that is only the authenticity of the files that describe the contents to yast, NOT the packages themselves. They are signed and checked independently. And if so how can I tell these are the correct keys?
They are usually published on the web sites and or via the gpg key servers.
What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone?
Only get packages from trusted sources. If it isn't available, ask or build it yourself. You can download the src rpms and build it on your machine and check it to be sure.
And my last question; where do I find security information for openSUSE?
Yast Online Update
Is there a news site or mailinglist with announcement about security threats and vulnerabilities?
Yes, opensuse-security@opensuse.org and opensuse-security-announce@opensuse.org
I ask these questions because I am planning to sell openSUSE 10.3 on retail pc's through my company. I want the make sure I get all the pro's and cons of openSUSE security wise before doing so.
HTH
-- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org