Question about moving from 5733OPS to yum based repo

Issue #16 resolved
Mark Ford created an issue

Apologies if this is the wrong place to ask a question, but it was suggested by IBM support. As a current user of some open source packages on IBM i via the 5733OPS licensed program and PTFs I'm quite keen to migrate over to the new yum based delivery method to take advantage of the additional range of packages and up to date versions. However our information security team are asking me to check that code/packages are coming from a secure and trusted source. I believe the repo is hosted on server public.dhe.ibm.com which being an IBM hosted server sounds fine (though a secure protocol rather than ftp would be preferable), but are the packages that are added to the repo verified or checked in any way to ensure no malicious or vulnerable code is added that could end up on customers systems?

Thanks, Mark.

Comments (3)

  1. Jesse G

    Hi, Mark. Here are the data points that can be used to show the software is coming from a secure+trusted source:

    • The software is built and packaged by IBM teams
    • The software is distributed by an ibm.com site (as you noticed). We have https support but haven't switched the installer over yet.
    • The source code comes from verified sources such as the GNU or Apache communities, where contributed code is subject to appropriate scrutiny as accepted by larger enterprise communities (such as popular enterprise Linux distributions).
    • The source is licensed under an acceptable license as determined by IBM legal review.

    Hope this helps! Feel free to ask any further questions you may have.

  2. Mark Ford reporter

    Thanks Jesse. That's great, and just the sort of information we were looking for. I'll mark this resolved.

  3. Log in to comment