Hi SuSE: I have recently installed 6.4 version and I want to secure my machine. Is there any way for *auto*-updating *all* (installed) RPM's via SuSE web? Which URL should I use to get the more recent Updates for my distro? I think this is a FAQ, I have RTFM... but I want no silly mistakes, so I prefer asking here and get always updated info :-) Thanks folks! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://bart.us.es/~roman ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi, Sorry to bring this up here but I recently downloaded a bunch of rpms for security updates from the SuSE ftp server. I noticed that Marc/Thomas/Roman always give the checksums in their advisories. But sometimes the relevant rpms are later updated without a new MD5 being included. I imagine in some cases these updates do not originate with the security dept. However, security guys -- I think you do a great job, btw -- perhaps you could make it a company policy that all packages on the ftp server have checksums -- perhaps in the index file in each folder? And perhaps this could then be PGP signed? Thanks Corvin
* Corvin Russell wrote on Thu, Aug 31, 2000 at 16:50 -0400:
perhaps you could make it a company policy that all packages on the ftp server have checksums -- perhaps in the index file in each folder?
Are you talking about MD5 sums in a list file on the FTP server? In that case this wouldn't make any sense: who is able to change the RPM packages, would be able to change the list file too...
And perhaps this could then be PGP signed?
Good point! I remember we had this topic here already, and IIRC suse is going to sign in the future. Or maybe SuSE 7.0 is already signed? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Are you talking about MD5 sums in a list file on the FTP server? In that case this wouldn't make any sense: who is able to change the RPM packages, would be able to change the list file too...
They publish the MD5's in securty announcements that are sent to Bugtraq/etc. These MD5 sums are available in many places, such as my weekly Linux security digest.
And perhaps this could then be PGP signed?
Good point! I remember we had this topic here already, and IIRC suse is going to sign in the future. Or maybe SuSE 7.0 is already signed?
I seem to rmeber that too. In any case I'll be doing a review of it when it comes out and they'll be roasted (just like I did Debian =) if packages are not signed.
oki,
Steffen
-Kurt
Hi, On Thu, Aug 31, Kurt Seifried wrote:
I seem to rmeber that too. In any case I'll be doing a review of it when it comes out and they'll be roasted (just like I did Debian =) if packages are not signed.
In SuSE 7.0 packages are not yet signed so feel free to handle us the same way as Debian.
-Kurt -o) Hubert Mantel Goodbye, dots... /\\ _\_v
Are you talking about MD5 sums in a list file on the FTP server? In that case this wouldn't make any sense: who is able to change the RPM packages, would be able to change the list file too...
I fully agree, but as far as I can tell, excepting security bulletins, that's where the MD5 checksums are going as it is -- when they're there at all. To minimize the risk of tampering, I suggested PGP-signing the checksum list; better, of course, as you and Kurt have pointed out, is also PGP-signing the packages.
And perhaps this could then be PGP signed?
Good point! I remember we had this topic here already, and IIRC suse is going to sign in the future. Or maybe SuSE 7.0 is already signed?
ciao Corvin -- Corvin Russell <corvinr@sympatico.ca>
participants (5)
-
Corvin Russell -
Hubert Mantel -
Kurt Seifried -
RoMaN SoFt / LLFB !! -
Steffen Dettmer