Rich Freeman via plug on 20 Sep 2019 11:44:13 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The lock down?! Uhh.. why?

On Fri, Sep 20, 2019 at 11:34 AM Joe Rosato via plug
<> wrote:
> As for RHEL there has been the push for RHSM away from RHN. Take a look at the repo files -  https, not http.
> What is the thinking here? Can't tell if I'm just old school or if this is.. well.. bad. The gpgcheck for signatures covers fears of bogus repos. Why add https?

Seems like a best practice all around.  Here is my thinking:

The only cost is a bit of CPU - not a big deal.

The upsides are:
1. Nobody can see what you're downloading, installing, and so on.
2. The connection is harder to tamper with in general.
3. Nobody can feed junk into your connection, which means that if your
package manager has some kind of input-sanitization issue you're less
vulnerable since only repos you're pulling from can inject something
into the data stream.
4. The only thing vulnerable to tampering from a MITM is your ssl
library, which probably gets a lot more scrutiny in general than your
package manager.

Sure, I agree that in theory the gpg sigs will authenticate the
package files themselves just fine.  SSL might add relatively little
additional benefit, but IMO the additional cost is lower still, so it
is still a good payoff.

Plus it checks all the IT security boxes.  We're talking about Redhat
here.  If your corporate IT security department gives you an option of
checking yes to "uses SSL?" or checking no and filling out half a page
of justification and getting approvals, I imagine the chief sysadmin
would prefer to just check the yes box...

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --