On 10/08/2007 07:21 PM, Aniruddha wrote: > Coming from Gentoo I wonder how do I keep openSUSE secure (e.g. for > rootkits)? In Gentoo there is one repository with 11.000+ packages which > are all checked for vulnerabilities and verified with shasum. > > In contrast openSUSE has many different repositories (Packman, Guru > etc). I assume these are trusted resources. How can I tell if these > rpm's are tampered with? > use Yast to install your packages. It checks the gpg signatures to verify every package installed. > How do I safely use the gnupg key system for repositories? repository files are signed as well as each package. These are also checked by Yast. > Is accepting > these keys when adding repositories with yast the preferred way? Depends on your paranoia. You could also check the authenticity before accepting, but remember that is only the authenticity of the files that describe the contents to yast, NOT the packages themselves. They are signed and checked independently. > And if > so how can I tell these are the correct keys? > They are usually published on the web sites and or via the gpg key servers. > What about rootkits? How do I protect my system for rootkits when > downloading rpm's from sites such as rpmbone? > Only get packages from trusted sources. If it isn't available, ask or build it yourself. You can download the src rpms and build it on your machine and check it to be sure. > And my last question; where do I find security information for openSUSE? > Yast Online Update > Is there a news site or mailinglist with announcement about security > threats and vulnerabilities? > Yes, [EMAIL PROTECTED] and [EMAIL PROTECTED] > I ask these questions because I am planning to sell openSUSE 10.3 on > retail pc's through my company. I want the make sure I get all the pro's > and cons of openSUSE security wise before doing so. > > HTH
-- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
