LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2021

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2021

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: converting to RHEL8...
From:	Konstantin Olchanski <[log in to unmask]>
Reply To:	Konstantin Olchanski <[log in to unmask]>
Date:	Thu, 4 Feb 2021 14:02:52 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (37 lines)

These instructions are insecure, set you up for a supply-chain attack:

a) RPMs are loaded over plain "http" (no "https")
b) RPM signature is not checked

A more secure sequence would:

- wget https://urldefense.proofpoint.com/v2/url?u=https-3A__somewhere_rpm-2Dsignature-2Dkey&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Bwvu8ORtdwu_qqgSySYBdSQ5VFU2sSZyj1XlHQ96Gz4&s=OuX1i3RoFfYAZJrzTBCVE8ywgKYMw1puabTsB1I4ljM&e= 
- independantly verify this signature
- rpm import it
- rpm check signature before installing (or use yum, confirm package signature is enabled)


K.O.


On Thu, Feb 04, 2021 at 03:42:31PM -0600, Ching Him Leung wrote:
> I have not tried RHEL yet, but I have some success converting from CentOS 8 to Springdale 8 on a VM. Here are some instruction I found on rocky linux forum
> 
> dnf update -y
> rpm -e --nodeps centos-backgrounds centos-indexhtml centos-gpg-keys centos-linux-release centos-linux-repos centos-logos
> rpm -ivh \
>         https://urldefense.proofpoint.com/v2/url?u=http-3A__springdale.princeton.edu_data_springdale_8_x86-5F64_os_BaseOS_Packages_springdale-2Dappstream-2D8-2D0.sdl8.2.noarch.rpm&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Bwvu8ORtdwu_qqgSySYBdSQ5VFU2sSZyj1XlHQ96Gz4&s=3awxciVrCSZEziaUehriWnMttfwlCRKuMKjepx6bbz0&e=  \
>         https://urldefense.proofpoint.com/v2/url?u=http-3A__springdale.princeton.edu_data_springdale_8_x86-5F64_os_BaseOS_Packages_springdale-2Dcore-2D8-2D0.sdl8.2.noarch.rpm&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Bwvu8ORtdwu_qqgSySYBdSQ5VFU2sSZyj1XlHQ96Gz4&s=xBX0ndIbr0GKnXILKqPO-qmzF3uRMRJoqW64SxEgvjE&e=  \
>         https://urldefense.proofpoint.com/v2/url?u=http-3A__springdale.princeton.edu_data_springdale_8_x86-5F64_os_BaseOS_Packages_springdale-2Drelease-2D8.3-2D0.42.el8.x86-5F64.rpm&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Bwvu8ORtdwu_qqgSySYBdSQ5VFU2sSZyj1XlHQ96Gz4&s=EB5q0Mf4XnrLhTF5rmgjfjnR71LWhzI4xDHIRPwvwx8&e= 
> dnf distro-sync -y
> 
> the distro-sync will reinstall every package 
> 
> Ching Him

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV