Re: How secure is Preupgrade? Answer: Not.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Beartooth Sciurivore wrote:

On Wed, 21 May 2008 00:27:17 +0200, Björn Persson wrote:


I went ahead and read the code. [....]

I've got my answer: Preupgrade is not secure. I'll continue upgrading
the way I've done it before – either with Yum or from a DVD image on a
USB stick.
Dumb question, probably : if you install and run preupgrade according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop after downloading boot images, is there some user-friendly thing you can do then to make it secure? Something on the order of getting into a directory and commanding, in effect, "check all signatures"? 

	Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?
If the latter, do we need to get rid of whatever-all 0.9.3-3 downloaded? Or will we be able to just "yum update PreUpgrade" in F8 and then run it again?
I don't think you can do anything unless you can verify the images on your own after the download. You'll have to track down where everything is stored, I know some of it is in /boot/upgrade but I am not sure if verifying the images there is all that is needed. I am going to scan the code myself, I am limited in skill when it comes to coding but I've taken programming classes in the past and of course I am self teaching the C so maybe it won't be hard to add the proper checks. In any case I am short on time, so if you haven't used preupgrade i would avoid it for now and go with a more traditional method for the moment. It really sucks that the proper verification isn't done but until I look into it myself I won't know anything for sure, not that I don't trust Bjorn's assessment but everyone makes mistakes, though I think it likely he is on the money. Disappointing that anyone could be so flip about the proper security checks but we are all only human I guess. Anyway someone else may have a good way to go about it, I'd like to find one, this install is perfectly usable with only a small glitch or two. I am rocking to Alice in Chains right now!! 

--
On the eighth day he said "There shall be no rest for the weary."

On the ninth day he farted, and it smelled like sulphur.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux