Paranoid Penguin - Using Yum for RPM Updates

You can eliminate most known security risks by removing unused software and keeping your system up to date. Here's how to do it with the new tool chosen by three of the most popular Linux distributions.

Updating your Linux system's software whenever security updates become available is one of the most important things you can do to reduce your exposure to bug-related vulnerabilities. It's so important that I've written at length about it both in Linux Journal (“Staying Current without Going Insane”, July 2002) and in Chapter 3 of my book Building Secure Servers With Linux.

Since I wrote those items (two years ago), the means by which you update Debian and SuSE systems haven't changed too much: apt-get and YaST, respectively, still are the preferred tools for this task. But the Red Hat world has a new and noteworthy utility called Yum (for Yellow Dog Updater, Modified). This month I explain where to get Yum, how to set it up and how to use it to simplify the task of keeping your Red Hat, Fedora or Mandrake system up to date.

Yum Overview

As its name implies, the Yellow Dog Updater, Modified evolved from the Yellow Dog Updater, Yup, which is part of the Yellow Dog Linux distribution for Macintosh computers. Whereas Yup runs only on Yellow Dog (Macintosh) systems, Yum presently works on Red Hat, Fedora, Mandrake and Yellow Dog Linux, where it's replaced Yup. Yum is a project of the Linux@DUKE team at Duke University; Seth Vidal and Michael Stenner are credited with the better part of the development work.

In a nutshell, Yum does for RPM-based systems what apt-get does for Debian. It provides a simple command that can be used to install or update a software package automatically, after first installing and updating any other packages necessary to satisfy the desired package's dependencies.

Yum actually consists of two commands: yum is the client command, and yum-arch is a server-side command for creating the header files necessary to turn a Web or FTP server into a Yum repository. The yum-arch command is beyond the scope of this article, but you need to use it if you want to set up a public Yum repository, a private Yum repository for packages you maintain for local systems or even for a non-networked Yum repository on your hard drive. yum-arch is simple to use, and the yum-arch(8) man page tells you everything you need to know.

Unlike apt-rpm, a popular port of apt-get for RPM-based distributions, Yum is native to the RPM package format. And, says Michael Stenner, “Yum is designed to be simple and reliable, with more emphasis on keeping your machine safe and stable than on client-side customization.”

Getting Yum

The Yum download site (see the on-line Resources section) explains which version of Yum to download, depending on which version of Red Hat or Fedora Linux you use. If you're a Fedora user, Yum is part of Fedora Core 1, and the package yum-2.0.4-2.noarch.rpm is on Disk 1 of your Fedora installation CD-ROMs. If you use Mandrake 9.2, the package yum-2.0.1-1mdk.noarch.rpm is included in the distribution's contrib/i586 directory.

Yum is written entirely in Python. Therefore, in order to install any Yum RPM, your system needs the Fedora/Red Hat packages python, gettext, rpm-python and libxml2-python or their Mandrake equivalents. Chances are, all of these packages already are on your system.

Finding Yum Repositories

From where can Yum pull its RPMs? Usually, this happens from a remote site over the Internet. This being a security column, my emphasis here is using Yum to grab security patches, so network updates are the focus of the rest of this column. In the interest of completeness, however, Yum can read RPMs from local filesystems or virtually local filesystems, such as NFS mounts.

Whether on a remote or local server, the RPM collection must be a Yum repository. It must include a directory called headers that contains the RPM header information with which Yum identifies and satisfies RPM dependencies. Therefore, you can't arbitrarily point Yum at any old Red Hat mirror or Mandrake CD-ROM.

If you use Fedora Core 1 or 1.90, you can use Yum with any Fedora mirror. Because Yum is an officially supported update mechanism for Fedora, Fedora mirrors are set up as Yum repositories. And, did you know about the Fedora Legacy Project? This branch of the Fedora effort provides security updates to legacy Red Hat distributions, currently Red Hat 7.3, 8.0 and 9.0. Thus, many Fedora mirrors also contain Red Hat updates in the form of Yum repositories.

If in doubt, a limited but handy list of Yum repositories for a variety of distributions is available (see Resources). Each of the links on this list yields a block of text you can copy and paste directly into your /etc/yum.conf file, which we explore in depth shortly. If all else fails, Googling for mydistroname Yum repository is another way to find repositories.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

The comment "Garrick, use rea

Anonymous's picture

The comment "Garrick, use really small font in Listing 1 (or make wider than one column) to keep the lines from breaking"
Appears above the listing at the begining of the article, and there are a few times where there are font and other editing/publishing instructions for 'garrick' to follow. Thiis is an old article, but I figure I should make note of it so if anyone monitors this still they can correct it.

Re: Paranoid Penguin: Using Yum for RPM Updates

Anonymous's picture

Thanks I have just started using Yellow Dog Linux this aricle couldn't have been better timed than if you wrote it just for me.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix