RHEL/CentOS - Is remi repo safe for for audits, etc?

centos7 rhel7 repository
5,090

We cannot know what policies, controls, and software stack you have. That's the point of audits, to verify your procedures in your environment.

Review your policies and procedures. You should be able to do a risk assessment of this software and make a recommendation based on a business need.

Remi repo has a few million (GPG signed) downloads and is involved in Fedora packaging, so it has a trusting community. But remember, neither remi nor RHEL itself has a warranty. Limiting to RHEL itself does not make you compliant, it just controls version change and improves your chances of getting technical support.

Share:
5,090

Related videos on Youtube

UtahJarhead
Author by

UtahJarhead

Programmer, Developer, SysAdmin. 20 years experience.

Updated on September 18, 2022

Comments

  • UtahJarhead
    UtahJarhead over 1 year

    We've recently passed our SOCII type 1 audit and are working through the type 2 audit. On some of our production servers, I'd like to push more recent versions of a handful of apps, and I see people frequently referring to remi repo. What I DO NOT want to do is jeopardize our compliance with anything. It took me a while just to get them to allow epel. Is it worth pursuing for remi?

    • Michael Hampton
      Michael Hampton over 5 years
      I wouldn't be worried about remi unless Red Hat fires him. :) What specific concerns do you (or the auditor) have?
    • UtahJarhead
      UtahJarhead over 5 years
      None, yet. I'm simply attempting to foresee potential arguments so I have immediate answers. Edit: Also, I didn't know Remi works for RH. Good information to know! Are you aware of stability issues with packages in Remi's repo?
    • UtahJarhead
      UtahJarhead over 5 years
      Thank you for your answers this morning. I appreciate it.
    • Ville Laitila
      Ville Laitila over 2 years
      Does Red Hat still employ him?
  • UtahJarhead
    UtahJarhead over 5 years
    You bring up a really good point. I guess I phrased my question wrong. I'm really interested in security and reliability drawbacks with third party REPOs.
  • UtahJarhead
    UtahJarhead over 5 years
    I'm accepting yours as the answer because I'm now realizing that I asked a kinda nebulous question. I appreciate your input, greatly.
  • John Mahowald
    John Mahowald over 5 years
    It is wise to be cautious about the security and stability of a new source of software. But this is far more about your controls than a software support contract. You could achieve a secure and stable system by compiling from source yourself. I don't recommend that when there already exists packages that meets Fedora standards.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unable to install freetds on RHEL7
Why does the systemd network.service complain about "Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'"
How to change grub2 in CentOS/RHEL7 from UUID to old style device?
Tested kickstart file baulks in Centos 7
Install PHP 5.6 on CentOS 7 - No package php56 available - yum misconfiguration?
ValueError: Type http_sys_content_t is invalid, must be a file or device type
FreeIPA : Installer not resolving domain name from hosts file
primary.sqlite.bz2 not found on private repo
I updated my CentOS 7 system. Why is Meltdown/Spectre only partially mitigated?
Issue in installing CentOS7 in Dell PowerEdge R640