The official MongoDB guide suggests that I add a .repo with gpgcheck=0 over HTTP protocol. I'm getting the feeling that this is a very insecure setup - I am worried about exposing myself to MiTM attacks this way everytime I try to update my system within an untrusted network. Is this actually possible or are there any security mechanisms that I'm not aware of that would protect me from that? If not, is there any way to make this .repo setup more secure without relying on my OS's old packages or compiling the program from scratch?
Asked
Active
Viewed 33 times
0
d33tah
- 301
- 4
- 15
-
1It would _appear_ that you don't install it securely. If this is a concern for you, then you should contact the packager. – Michael Hampton Oct 03 '15 at 13:00
-
@MichaelHampton: Thanks for this advice! I think it's a good one and ended up doing that: https://jira.mongodb.org/browse/DOCS-6320 - let's see if I get any response ;) – d33tah Oct 03 '15 at 13:16
1 Answers
4
It appears that you can't do this. Along with disabling the GPG check on the repo, if you look to download the .rpm file yourself then there is no hash of the archive provided for you to be able to verify it's authenticity.
As an aside they way they present the (potential) SELinux issues and solutions is interesting, it's almost as if they want you to disable it.
Not that any of this really matters, it's very DevOPs and meh! that stuff doesn't matter ;)
user9517
- 114,104
- 20
- 206
- 289