Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Linux's Best Friend

Thanks to YUM, Linux updates are as reliable as Old Yeller.

Bits & Bolts
Thanks to YUM, Linux updates are as reliable as Old Yeller.

The Right Tool
YUM is more scalable and tolerant than other Linux updating programs, such as Red Hat-based up2date and Debian-based APT-RPM (now managed by Conectiva), which makes it more suitable for enterprise environments.

YUM handles dependencies more gracefully than the others, supports multiple repositories, groups and failover, and simplifies the management of multiple centralized and decentralized machines.

YUM, like up2date, is written in Python, while APT-RPM is written in C++; the difference is 33,000 lines of code, meaning YUM and up2date are faster and less complex. On the other hand, up2date and APT-RPM have native GUIs, while YUM is command-line only (third-party GUIs are available). Also, up2date has a rollback feature absent in YUM, which is important in case of incorrect or incomplete updates.

YUM may be used in other popular distributions such as Novell's SuSE Linux or Mandrake, but there are less likely to be issues with Red Hat and Fedora. SuSE and Mandrake users may want to consider their native updaters, YaST and urpmi.

Linux is here to stay. Its appeal as an open-source OS and the perception that it's more secure than Windows have given it a strong foothold in businesses, government agencies and universities. Gartner reported that the revenue from sales of Linux-based servers grew by 55.7 percent in third quarter 2004 over the previous year, and IDC said that Linux accounted for 9 percent of worldwide server sales in the same quarter.

But updating and patching Linux can be a tedious and error-prone process, even if you have resident Linux gurus. That's where Yellowdog Updater, Modified (YUM) can help.

YUM (derived from a similar tool originally crafted for the Yellowdog OS, a Linux distro for Macs, and maintained by Duke University) is the most flexible and arguably the best of several automated tools available to manage Linux software updates easily and consistently.

The cost of supporting Linux servers and workstations can surpass that of your Windows boxes in a hurry; vulnerabilities remain unpatched, and ad hoc configurations spring up across the enterprise. Commercial patching/updating products are ex-pensive and focus mostly on Windows.

YUM saves time, money and security headaches by centralizing administration and version control.

Updating the Hard Way
Red Hat Package Manager (RPM), originally developed by Red Hat, is a command-line tool that can be used to install, uninstall and update a package for almost any Linux OS or application. (RPM is also referred to as RPM Package Manager because of its ubiquity across Linux platforms.)

Each RPM package consists of a header, signature and compressed archive. The utility installs or uninstalls a package based on the header information the package contains.

This is a purely manual process; you have to update each package on each server at the console or by remote access. Most packages require not only the particular files you're updating, but numerous contingent tools and libraries, called dependencies, and each of these, in turn, may require additional tools and libraries.

Resolving all these dependencies and getting the install right is time-consuming and prone to error. It's all too easy to get it wrong and break an app or crash a box.

Imagine patching and updating a handful of servers and workstations this way. For large, distributed environments, this would be unthinkable. The cost would be prohibitive, and you'd need a number of Linux experts to install and troubleshoot across the enterprise.

Updating the YUM Way
YUM solves most of these problems by enabling automatic updates to servers and workstations across an enterprise. While it lacks some of the features of high-end commercial tools, it's a viable option and a dramatic improvement over pure RPM updates.

The update works with any Linux OS (though it's most tightly integrated with Red Hat and Fedora Core) or application that relies on the RPM format. YUM runs on top of RPM as a shell, automating its processes. There are two primary components: yum-arch, which is used to create the server-based RPM package repository, and the YUM client, which pulls in and installs the updates.

The cornerstone of the tool is yum-arch. It creates a header file for each RPM package on the repository (an FTP, NFS or HTTP server). YUM's magic is its ability to separate these headers on the repository; yum-arch has a variety of debugging, informational and security switches that are primarily of use to admins setting up a repository.

The YUM client polls the target repository for pertinent OS or application (say, Mozilla or Snort) updates. It downloads the header file and compares that information to the client's cached header information, determining which updates are needed, and automatically resolving all the dependencies and completing the installs.

By downloading only the headers first, YUM minimizes network traffic. It downloads packages only after it determines what is required, which is particularly important over slower connections like a fractional T1. The locally cached headers are updated and/or incremented to reflect the current status for the next update check.

If YUM encounters a problem—like a package conflict, wrong version or dependency loop (a circular dependency where A requires B, and B requires A)—it stops the install and sends an error message. YUM has failover capabilities, so you can designate URLs for both primary and mirror repositories. YUM generates logs that can easily be viewed to verify installations and updates.

The YUM client can easily be installed via Telnet or SSH. Once installed, it doesn't require root access, so updating packages requires no additional overhead or special privileges. In addition, it can be configured to perform GPG signature checking.

YUM at Its Yummiest
YUM's real power is in its automation, flexibility and fault tolerance.

While an update can be launched with a simple command-line instruction, YUM allows you to schedule regular (e.g. daily) update queries. YUM will download RPM header files on a schedule to check for and install any updates. This allows YUM to be truly automated and gives organizations the option of off-hour and staggered installations.

YUM's versatility and security can be further enhanced through the use of local or private repositories and application groups. Although YUM clients can be, and often are, directed to query public repositories, best practice often indicates the use of site repositories for maximum flexibility, control and security. For starters, creating repositories inside the firewall enhances security, as YUM is susceptible to man-in-the-middle and DNS-poisoning attacks if it's accessing an Internet repository.

Local repositories assure that only tested updates and patches are applied. By controlling what RPM packages sit on authorized repositories, you can make sure that they will be applied only after they have been cleared for production. (Or, if you are using public repositories or a centralized site repository, you can limit what YUM automatically updates through client-based exclude commands.)

Distributed repositories—in branch offices, for example—reduce bandwidth consumption, so YUM clients won't all query a single central repository or flood your Internet access by downloading packages from a public site. And, high-security environments may need closed LAN segments with their own repository.

Going a step further, you can organize repositories of OSes, applications and tools by department or business unit. YUM facilitates this through groups defined in an XML-based file that allows you to assign packages to designated applications.

Pros and Cons
YUM is arguably best of class, though there are other Linux update tools, including up2date and APT-RPM, which may have features you prefer (see The Right Tool).

Using YUM for your Linux boxes and SUS or a third-party product for Windows servers and workstations is a reasonable software and patch update strategy. YUM may not be robust enough for all enterprises. It lacks the central administration, rollback and reporting features of many commercial patch and configuration management tools. And, it's only good for Linux distributions.

But YUM is a free tool that's flexible, scalable, fault tolerant and easy to manage in centralized and decentralized environments. If maintaining your Linux boxes is a drag on your IT department, it's worth a look.

Article 1 of 15

Dig Deeper on Open source security tools and software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All