Hi, I would like some clarification[and perhaps an update] on objective "1.114.1 Perform security administration tasks".
One key knowledge area is "Verify packages". Does it mean verifying BEFORE installing or verifying validity of binaries AFTER installation? For either .deb and .rpm packaging system, the first one requires installation and configuration of pgp/gpg suite, including importing the relevant keys on the system. This isn't included by default in any debian installation, as far as I can see. I am not sure about Fedora or other rpm based distributions but according to some instructions about how to import fedora keys I found on the internet, I guess it's not installed there too. Regarding the post-installation verification of packages, debian doesn't seem to include native support for verifying binaries. Actually, including md5sums of binaries inside packages, seems optional. There is, however utility debsums. On .rpm based installations things look better. rpm supports the -V option to verify the installed binaries of a package against their md5sums. However, for full usage, that needs gpg/pgp keys too. Unless there is an objection about the above, my point is: Should there be an update on the objective to include basic gpg/pgp key management? Additionaly, could the phrasing of that key knowledge are be clarified? Regards - Giannis _______________________________________________ lpi-discuss mailing list [email protected] http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-discuss
