This site is managed and maintained by the Red Hat Enterprise Linux group at Iowa State University. It serves as a collecting point for software packages compatible with Red Hat Enterprise Linux. These packages have been produced and compiled both by Red Hat and other sources.

The collections available on this site are listed in the navigation menu on the left side of this page. All collections are navigable via a browser or ftp.

How you use each repository is dependent on the repository itself. Each repository has information associated with it that describes the content of the repository , how it should be used, and where you may browse to find more help. The packages can be downloaded and installed by a variety of methods using FTP and HTTP protocols.

All of the packages on this server have been built by third party providers and as a result, there are trust issues involved. Is there a way you can check the integrity of the packages (or require a given level of integrity) before or during the installation of the packages?

Most of the packages on this site provide one of the following two methods for verifying the packages. Both methods require that you trust that the source of the packages is the same as the source of the verification method. If you accept that premise, these methods provide a fair amount of confidence that the package you have downloaded/installed is the same as that constructed by the developer(s).

A checksum, in its most basic form, is a simple addition of the basic blocks that compose the data. For a file, this is usually the bytes that make up a file. However, a simple checksum does not provide a unique checksum. A unique checksum is necessary to prove the integrity of a file. The MD5 and SHA1 cryptographic hash functions, or message digests, provides nearly unique output for the input fed to them. Thus, combined, an MD5 (or SHA1) checksum provides a nearly unique checksum for a given input file, down to the byte level.

As an example, suppose you wished to verify the integrity of the disc 1 ISO of Fedora Core 6. Look for its checksum in the file SHA1SUM and then calculate its checksum using the Linux command sha1sum. If they match, you can assume that the file you downloaded was produced by the person(people) who created the checksum.

Many developers who package RPMs now, including Red Hat, usually attach a digital signature to the RPM in order to preserve the integrity of the package. The most popular method for signing a package is by using the keys provided by Gnu Privacy Guard (GPG). GPG users create a public key and a private key to encrypt and subsequently decrypt the contents of a file or, in the case of an RPM, a signature. The RPM developer signs the package with their private key, using the rpm command. In this way, the signature cannot be separated from the package. The developer then places a copy of their public key on the server which holds the signed package. The user who wishes to install the package then uses the public key to verify the signature as the package is installed after importing the public key into their RPM keyring. Only the public key corresponding to the private key used to sign the package will match the signature.

Many of the packages you will find on this site have been signed using a GPG key. Public keys are available on this site with each repository that uses GPG.