[lpi-discuss] About objective 1.114.1

Giannis Stoilis giannis at stoilis.gr
Fri May 4 08:39:28 EDT 2007


Hi,

I would like some clarification[and perhaps an update] on objective
"1.114.1 Perform security administration tasks".

One key knowledge area is "Verify packages". Does it mean verifying
BEFORE installing or verifying validity of binaries AFTER
installation?

For either .deb and .rpm packaging system, the first one requires
installation and configuration of pgp/gpg suite, including importing
the relevant keys on the system. This isn't included by default in any
debian installation, as far as I can see. I am not sure about Fedora
or other rpm based distributions but according to some instructions
about how to import fedora keys I found on the internet, I guess it's
not installed there too.

Regarding the post-installation verification of packages, debian
doesn't seem to include native support for verifying binaries.
Actually, including md5sums of binaries inside packages, seems
optional. There is, however utility debsums.

On .rpm based installations things look better. rpm supports the -V
option to verify the installed binaries of a package against their
md5sums. However, for full usage, that needs gpg/pgp keys too.

Unless there is an objection about the above, my point is: Should
there be an update on the objective to include basic gpg/pgp key
management? Additionaly, could the phrasing of that key knowledge are
be clarified?


Regards
- Giannis


More information about the lpi-discuss mailing list