On Thu, Feb 27, 2003 at 12:33:35PM -0500, Jennifer Fountain wrote: > Hi All: > > I wanted your opinion about retrieving updates from the red hat network via the rh > agent. I absolutely love the fact that Red hat emails you with updates and the > agent (acting like the windows update agent or did windows steal this from rh:)) can > retrieve these updates. However, I am not sure how "secure" or if I should be > concerned about this process. What is the consensus from everyone? Good tool? > Shouldn't use it because...? >
My comments on how "secure" it is are based on my experiences in setting up a "current" server. This is an implmentation of a server for the up2date tools. (http://current.tigris.org) There are a number of factors which Red Hat is using to keep the facility secure: - The service is supplied over an https connection and an SSL key is locally stored on your machine to verify the connection. - up2date will NOT proceed if it gets an RPM that is not signed by an appropriate key (Red Hat's by default). - up2date is careful to not update certain rpms automatically. Kernel updates are not automatic, nor will it update rpms that have had configuration changes made to them. This behaviour is, of course, configurable. - If you're REALLY concerned, you can run up2date manually and choose which updates you want at any given time!! There may be other security factors I'm not aware of, but these are the main points I would be concerned about. -- Steven Leikeim | University of Calgary | There are lies, damned lies, Department of Electrical Engineering | and statistics.
