On Wed, 27 Jun 2018, Paul Raines wrote:
Definitely should have used https instead of http at least. Other than that is it pretty common and not really different than click downloading a *.bin install file and running it with bash (I think Oracle Java still does this)
Sure, but that doesn't make it nice.
Having public keys you download from an https site at a clear dell URL that you install by hand and then only install rpms with yum is a tad better. But pre and post scripts in RPMs can run anything they want via bash. Ultimately it still comes down to trusting Dell and the integrity of Dell's website certificate
Trusting Dell's website certificate still means you man-in-the-middle protected. Look at how EPEL/ELrepo/most other repositories do it. You provide a dell-release RPM, signed with their signing key, which is made available over HTTPS. First time you use it, you can download the release RPM, validate it to your satisfaction that it's legit, and put that into your internal repos, optionally resigning it or whatever else you'd like to do. Any changes Dell then want to make to their repositories they can release as an updated dell-release RPM, and nobody has to play games like this. jh -- John Hodrien Faculty of Engineering, IT 0113 3435471 10.39a EC Stoner _______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge
