 | | | rhn and apt-get (was Re: a few questions about RH9.0) | rhn and apt-get (was Re: a few questions about RH9.0) 2003-04-28 - By John Zimmerman
Back
I am including some of the original conversation just to keep things in
perspective. I was the one who made the "no worries " comment. I used
no worries a bit loosely but I will explain what I was thinking (right
or wrong you can decide). I 'm not trying to get flamed or anything, I
just don 't think I explained myself well.
> > > // personal comment follows
> > > The rhnsd runs as root, basically that means Redhat have root-access
> > > to my system... Luckily they 're not M$... And logged into the
> > > redhat-network on the web I can trigger software installs/uninstalls
> > > on my system...
This is the part I was getting addressing most. It seems that using RHN
leaves a possiblity to trigger actions as root over the Internet through
a web interface. I don 't know for sure but I am not aware of anything
like this with apt-get.
> > > Very nice, well, trust RH 100%, or keep ur system up to date
> > > manually...
> > RHN provides some nice features if you need to use them. But most
> > people don 't need them. Use apt-get/synaptic and have no worries.
> Use apt-get and let someone else have root access on your machine. You
> are aware that every rpm you install can contain scripts which run as
> root? It 's just a question of who you trust more, Red Hat or the
> freshrpms (+ every other apt source you specify) people...
Any time you are installing software not developed by your personally
you are letting someone else have root on your machine. You get to
choose who you allow packages from with apt-get and it is very easy to
setup your own private repository. From my experience it is much more
of a pain to set up your own private up2date server.
> I 'm not trying to make freshrpms look bad, as I 'm a happy user myself
> but I triggered on the "no worries " a few posts back. I think everyone
> should at least make a conscious decision before adding "untrusted "
> binaries to their system.
The freshrpms repository offers mirrored packages from redhat in
addition to their own custom packages. I did add one apt-source that
screwed some things up. The way they named their packages ended up
updateing current software with old software (not freshrpms though). So
it is very true that you need to be conscious about what binaries you
trust.
> Anyway, I tend to trust Redhat a bit more since they have commercial
> interests in keeping their distribution "clean ". I don 't expect
> anybody in the open-source community trying to install back doors on
> systems, but who guarantees some rpm server far away won 't be
> hacked into?
Also true.
Sorry to strike a nerve with some people.
Security issues or not, if you are looking for a nice flexible package
manager give apt-get a try.
|
|
|