Re: How secure is Preupgrade? Answer: Not.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Beartooth Sciurivore wrote:
> 	Dumb question, probably : if you install and run preupgrade
> according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop
> after downloading boot images, is there some user-friendly thing you can
> do then to make it secure? Something on the order of getting into a
> directory and commanding, in effect, "check all signatures"?

No. You can check the RPM packages in /var/cache/yum/anaconda-upgrade/packages 
with rpm --checksig (assuming you have known good public keys in the RPM 
database, but that's required for Yum too). The big problem is that you can't 
check the boot images in /boot/upgrade, because nobody has made signatures 
for them. Making signatures is easy, but only the owners of the Fedora 
project's private key can do it.

> 	Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?

Don't hold your breath. Checking the packages is scheduled for 1.1:

https://fedorahosted.org/preupgrade/ticket/7

Checking the boot images is scheduled for 1.2, but that ticket talks about 
checksums, not signatures, so I think it's only intended to protect against 
accidental corruption, not malicious tampering:

https://fedorahosted.org/preupgrade/ticket/8

> 	If the latter, do we need to get rid of whatever-all 0.9.3-3
> downloaded? Or will we be able to just "yum update PreUpgrade" in F8 and
> then run it again?

I get the impression that Preupgrade is intended to keep previously downloaded 
files if you run it again, and only download missing files and new 
dependencies, if any.

If you choose to upgrade with Yum it should be possible to tell Yum to use the 
packages that Preupgrade downloaded. The security will then be the same as in 
any yum update command. Just be sure to delete the unchecked boot images so 
you don't accidentally boot them.

Björn Persson

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux