[opensuse-security] How do I keep openSUSE secure?
Coming from Gentoo I wonder how do I keep openSUSE secure (e.g. for rootkits)? In Gentoo there is one repository with 11.000+ packages which are all checked for vulnerabilities and verified with shasum. In contrast openSUSE has many different repositories (Packman, Guru etc). I assume these are trusted resources. How can I tell if these rpm's are tampered with? How do I safely use the gnupg key system for repositories? Is accepting these keys when adding repositories with yast the preferred way? And if so how can I tell these are the correct keys? What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone? And my last question; where do I find security information for openSUSE? Is there a news site or mailinglist with announcement about security threats and vulnerabilities? I ask these questions because I am planning to sell openSUSE 10.3 on retail pc's through my company. I want the make sure I get all the pro's and cons of openSUSE security wise before doing so. Thanks in advance! Regards, Aniruddha --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Mon, Oct 08, 2007 at 01:21:47PM +0200, Aniruddha wrote:
Coming from Gentoo I wonder how do I keep openSUSE secure (e.g. for rootkits)? In Gentoo there is one repository with 11.000+ packages which are all checked for vulnerabilities and verified with shasum.
In contrast openSUSE has many different repositories (Packman, Guru etc). I assume these are trusted resources. How can I tell if these rpm's are tampered with?
From the SUSE Security team perspective, only the official repositories (OSS, Non-OSS and the Update) repos are fully ensured and updated with security fixes. The GPG keys for those are checked and are already on the CD/DVD.
The buildservice hosts packages by any user who wants to build them, here you have to mostly trust the repository and its packagers. There is no SUSE ensurance for it. There is 1 global buildservice key, but this will be changed to 1 key per buildservice repo. packman and others have dedicated developers not working for SUSE usually and you have to decide whether to trust them.
How do I safely use the gnupg key system for repositories? Is accepting these keys when adding repositories with yast the preferred way? And if so how can I tell these are the correct keys?
SUSE repos - no import dialog should appear, the keys are preconfigured. other repos - the id and the fingerprint is shown and you should review them (and can fetch the key in another shell and use GPG to check it).
What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone?
Difficult, because you dont really know what is in those RPMs.
And my last question; where do I find security information for openSUSE? Is there a news site or mailinglist with announcement about security threats and vulnerabilities?
Others mentioned our mailinglists, opensuse-security and opensuse-security-announce reachable from http://lists.opensuse.org . Also check http://www.novell.com/linux/security/securitysupport.html Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 10/8/07, Marcus Meissner
How do I safely use the gnupg key system for repositories? Is accepting these keys when adding repositories with yast the preferred way? And if so how can I tell these are the correct keys?
SUSE repos - no import dialog should appear, the keys are preconfigured.
other repos - the id and the fingerprint is shown and you should review them (and can fetch the key in another shell and use GPG to check it).
What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone?
Hello, where does Yast keep the keys? -- cheers, dg <a href="http://opensuse.org"><img style="border: 0px solid ; width: 80px; height: 15px;" alt="openSUSE.org" title="openSUSE.org" src="http://files.opensuse.org/opensuse/en/6/6e/Suselinux-green.png" /></a> --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Mon, Oct 08, 2007 at 08:34:36AM -0400, darko g wrote:
On 10/8/07, Marcus Meissner
wrote: How do I safely use the gnupg key system for repositories? Is accepting these keys when adding repositories with yast the preferred way? And if so how can I tell these are the correct keys?
SUSE repos - no import dialog should appear, the keys are preconfigured.
other repos - the id and the fingerprint is shown and you should review them (and can fetch the key in another shell and use GPG to check it).
What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone?
Hello, where does Yast keep the keys?
In the RPM database. rpm -qa|grep gpg-pubkey You can remove them with "rpm -e" for instance. There is no GUI for it yet. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Aniruddha
-
darko g
-
Marcus Meissner