What 3rd party repos can I trust

Support for security such as Firewalls and securing linux
Post Reply
addw
Posts: 30
Joined: 2005/10/23 14:11:29
Location: England
Contact:

What 3rd party repos can I trust

Post by addw » 2018/10/18 14:39:49

I want a package that is not in a 'standard' CentOS repo. I can see it at rpmfind.net & centos.pkgs.org; but how much should I trust these sites ?
I am looking at it from the point of view of security, ie that the RPMs have not been 'cooked' to contain some extra code to do something nasty like installing a root-kit.

I trust CentOS.org + EPEL, I kind of have to if I don't want to build everything from source. I can trust their mirrors as the packages are signed.

The package is mtop (which I could get direct from http://jeremy.zawodny.com - but I installed mytop from EPEL instead); but the question still stands.

YBellefeuille
Posts: 319
Joined: 2012/03/06 22:30:17
Location: Ottawa

Re: What 3rd party repos can I trust

Post by YBellefeuille » 2018/10/18 16:50:18

The wiki has useful information; see also the information about the priorities plugin.

addw
Posts: 30
Joined: 2005/10/23 14:11:29
Location: England
Contact:

Re: What 3rd party repos can I trust ?

Post by addw » 2018/10/18 16:59:25

I looked at the wiki, it doesn't address my issue. How to ascertain the the 'good intent' of sources of software that are not in the standard list.

I do use the priorities plugin; although the purpose is to solve a different problem - a 3rd party repo not 'overwriting' a CentOS one.

User avatar
TrevorH
Forum Moderator
Posts: 23861
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: What 3rd party repos can I trust

Post by TrevorH » 2018/10/19 07:59:53

Both rpmfind and pkgs.org do not package or host their own repos. Both are basically search engines that point you to other repos.

And for the trust issue, you can't trust anyone anywhere :-)

However, you can look at the repos and see who is behind them and what their history is. For example, IUS is run by Rackspace employees in their spare time (it's not an official Rackspace project) so the level of trust for that repo is fairly high fro me. Nux-dextop is run by one guy but has been around for a long time and seems quite reputable. EPEL is run (indirectly) by Redhat via Fedora. If you have specific other repos in mind, feel free to name and shame them!
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply