On 06/27/2018 12:44 PM, John Hodrien wrote:
On Wed, 27 Jun 2018, Paul Raines wrote:Definitely should have used https instead of http at least. Other than that is it pretty common and not really different than click downloading a *.bin install file and running it with bash (I think Oracle Java still does this)Sure, but that doesn't make it nice.Having public keys you download from an https site at a clear dell URL that you install by hand and then only install rpms with yum is a tad better. But pre and post scripts in RPMs can run anything they want via bash. Ultimately it still comes down to trusting Dell and the integrity of Dell's website certificateTrusting Dell's website certificate still means you man-in-the-middle protected. Look at how EPEL/ELrepo/most other repositories do it. You provide adell-release RPM, signed with their signing key, which is made available overHTTPS.First time you use it, you can download the release RPM, validate it to yoursatisfaction that it's legit, and put that into your internal repos, optionally resigning it or whatever else you'd like to do.Any changes Dell then want to make to their repositories they can release asan updated dell-release RPM, and nobody has to play games like this.
That would be a good solution.
jh
<<attachment: boutilpj.vcf>>
_______________________________________________ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
