RHEL/CentOS - Is remi repo safe for for audits, etc?
We cannot know what policies, controls, and software stack you have. That's the point of audits, to verify your procedures in your environment.
Review your policies and procedures. You should be able to do a risk assessment of this software and make a recommendation based on a business need.
Remi repo has a few million (GPG signed) downloads and is involved in Fedora packaging, so it has a trusting community. But remember, neither remi nor RHEL itself has a warranty. Limiting to RHEL itself does not make you compliant, it just controls version change and improves your chances of getting technical support.
Related videos on Youtube
UtahJarhead
Programmer, Developer, SysAdmin. 20 years experience.
Updated on September 18, 2022Comments
-
UtahJarhead over 1 year
We've recently passed our SOCII type 1 audit and are working through the type 2 audit. On some of our production servers, I'd like to push more recent versions of a handful of apps, and I see people frequently referring to
remi
repo. What I DO NOT want to do is jeopardize our compliance with anything. It took me a while just to get them to allowepel
. Is it worth pursuing forremi
?-
Michael Hampton over 5 yearsI wouldn't be worried about remi unless Red Hat fires him. :) What specific concerns do you (or the auditor) have?
-
UtahJarhead over 5 yearsNone, yet. I'm simply attempting to foresee potential arguments so I have immediate answers. Edit: Also, I didn't know Remi works for RH. Good information to know! Are you aware of stability issues with packages in Remi's repo?
-
UtahJarhead over 5 yearsThank you for your answers this morning. I appreciate it.
-
Ville Laitila over 2 yearsDoes Red Hat still employ him?
-
-
UtahJarhead over 5 yearsYou bring up a really good point. I guess I phrased my question wrong. I'm really interested in security and reliability drawbacks with third party REPOs.
-
UtahJarhead over 5 yearsI'm accepting yours as the answer because I'm now realizing that I asked a kinda nebulous question. I appreciate your input, greatly.
-
John Mahowald over 5 yearsIt is wise to be cautious about the security and stability of a new source of software. But this is far more about your controls than a software support contract. You could achieve a secure and stable system by compiling from source yourself. I don't recommend that when there already exists packages that meets Fedora standards.