I want a package that is not in a 'standard' CentOS repo. I can see it at rpmfind.net & centos.pkgs.org; but how much should I trust these sites ?
I am looking at it from the point of view of security, ie that the RPMs have not been 'cooked' to contain some extra code to do something nasty like installing a root-kit.
I trust CentOS.org + EPEL, I kind of have to if I don't want to build everything from source. I can trust their mirrors as the packages are signed.
The package is mtop (which I could get direct from http://jeremy.zawodny.com - but I installed mytop from EPEL instead); but the question still stands.
What 3rd party repos can I trust
-
- Posts: 319
- Joined: 2012/03/06 22:30:17
- Location: Ottawa
Re: What 3rd party repos can I trust
The wiki has useful information; see also the information about the priorities plugin.
Re: What 3rd party repos can I trust ?
I looked at the wiki, it doesn't address my issue. How to ascertain the the 'good intent' of sources of software that are not in the standard list.
I do use the priorities plugin; although the purpose is to solve a different problem - a 3rd party repo not 'overwriting' a CentOS one.
I do use the priorities plugin; although the purpose is to solve a different problem - a 3rd party repo not 'overwriting' a CentOS one.
Re: What 3rd party repos can I trust
Both rpmfind and pkgs.org do not package or host their own repos. Both are basically search engines that point you to other repos.
And for the trust issue, you can't trust anyone anywhere
However, you can look at the repos and see who is behind them and what their history is. For example, IUS is run by Rackspace employees in their spare time (it's not an official Rackspace project) so the level of trust for that repo is fairly high fro me. Nux-dextop is run by one guy but has been around for a long time and seems quite reputable. EPEL is run (indirectly) by Redhat via Fedora. If you have specific other repos in mind, feel free to name and shame them!
And for the trust issue, you can't trust anyone anywhere
However, you can look at the repos and see who is behind them and what their history is. For example, IUS is run by Rackspace employees in their spare time (it's not an official Rackspace project) so the level of trust for that repo is fairly high fro me. Nux-dextop is run by one guy but has been around for a long time and seems quite reputable. EPEL is run (indirectly) by Redhat via Fedora. If you have specific other repos in mind, feel free to name and shame them!
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke