| Rich Freeman via plug on 20 Sep 2019 11:44:13 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] The lock down?! Uhh.. why? |
On Fri, Sep 20, 2019 at 11:34 AM Joe Rosato via plug <plug@lists.phillylinux.org> wrote: > > As for RHEL there has been the push for RHSM away from RHN. Take a look at the repo files - https, not http. > > What is the thinking here? Can't tell if I'm just old school or if this is.. well.. bad. The gpgcheck for signatures covers fears of bogus repos. Why add https? > Seems like a best practice all around. Here is my thinking: The only cost is a bit of CPU - not a big deal. The upsides are: 1. Nobody can see what you're downloading, installing, and so on. 2. The connection is harder to tamper with in general. 3. Nobody can feed junk into your connection, which means that if your package manager has some kind of input-sanitization issue you're less vulnerable since only repos you're pulling from can inject something into the data stream. 4. The only thing vulnerable to tampering from a MITM is your ssl library, which probably gets a lot more scrutiny in general than your package manager. Sure, I agree that in theory the gpg sigs will authenticate the package files themselves just fine. SSL might add relatively little additional benefit, but IMO the additional cost is lower still, so it is still a good payoff. Plus it checks all the IT security boxes. We're talking about Redhat here. If your corporate IT security department gives you an option of checking yes to "uses SSL?" or checking no and filling out half a page of justification and getting approvals, I imagine the chief sysadmin would prefer to just check the yes box... -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug