2

We've recently passed our SOCII type 1 audit and are working through the type 2 audit. On some of our production servers, I'd like to push more recent versions of a handful of apps, and I see people frequently referring to remi repo. What I DO NOT want to do is jeopardize our compliance with anything. It took me a while just to get them to allow epel. Is it worth pursuing for remi?

UtahJarhead
  • 928
  • 7
  • 14
  • 1
    I wouldn't be worried about remi unless Red Hat fires him. :) What specific concerns do you (or the auditor) have? – Michael Hampton Dec 20 '18 at 16:34
  • None, yet. I'm simply attempting to foresee potential arguments so I have immediate answers. Edit: Also, I didn't know Remi works for RH. Good information to know! Are you aware of stability issues with packages in Remi's repo? – UtahJarhead Dec 20 '18 at 16:51
  • 2
    Remi's repos specifically track the latest upstream package versions, so you have security updates intermixed with bug fixes. For the specific packages in the repos, (PHP, MariaDB, etc.) this is usually what you want. – Michael Hampton Dec 20 '18 at 17:01
  • Thank you for your answers this morning. I appreciate it. – UtahJarhead Dec 20 '18 at 19:05
  • Does Red Hat still employ him? – Ville Laitila Oct 19 '21 at 19:37

1 Answers1

7

We cannot know what policies, controls, and software stack you have. That's the point of audits, to verify your procedures in your environment.

Review your policies and procedures. You should be able to do a risk assessment of this software and make a recommendation based on a business need.

Remi repo has a few million (GPG signed) downloads and is involved in Fedora packaging, so it has a trusting community. But remember, neither remi nor RHEL itself has a warranty. Limiting to RHEL itself does not make you compliant, it just controls version change and improves your chances of getting technical support.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • You bring up a really good point. I guess I phrased my question wrong. I'm really interested in security and reliability drawbacks with third party REPOs. – UtahJarhead Dec 21 '18 at 02:07
  • I'm accepting yours as the answer because I'm now realizing that I asked a kinda nebulous question. I appreciate your input, greatly. – UtahJarhead Dec 21 '18 at 02:08
  • 1
    It is wise to be cautious about the security and stability of a new source of software. But this is far more about your controls than a software support contract. You could achieve a secure and stable system by compiling from source yourself. I don't recommend that when there already exists packages that meets Fedora standards. – John Mahowald Dec 21 '18 at 11:46