Re: How secure is Preupgrade? Answer: Not.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Björn Persson wrote:
stan wrote:
If anaconda uses rpm to do the upgrade, there is a blurb in the man file
stating that rpm automatically does the md5 check on install.  I think
these are signed with a Fedora specific key, so they would fail if they
weren't official or were tampered with.

Checking the MD5 sum detects accidentally corrupted packages. To detect that a package has been tampered with you have to check the PGP signature. A bad guy can easily generate a new MD5 sum for his modified package. He can't generate a new PGP signature unless he has a private key that corresponds to one of the public keys that are loaded in your local RPM database.

But as the installer may have been tampered with, it may have inserted the bad guy's own key in your RPM database, or it may have installed a modified RPM that says everything is OK, or any other nasty stuff. I don't think the probability is all that high, but the possibility is there.

Björn Persson

Thanks for clarifying this.  Looks like it is back to DVD. :-(

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux