Re: Is this possible in Fedora?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2009-12-11 at 22:16 +0530, Rahul Sundaram wrote:
> On 12/11/2009 08:34 PM, Tim wrote:
>  It'll take quite some effort, not impossible, but very
> > difficult, to get a signed compromising package into the repos.
> 
> Unfortunately, I don't think it's that difficult. Why do you believe it is?

It does at least require the cooperation of an insider. To me, that
raises the bar quite a bit. But it is true that signing of packages does
not protect against someone with access to the signing key who is
working for nefarious purposes. Insider attacks (where the attack comes
from someone who is trusted) are always considerably more difficult to
defend against.

The other avenue of possible attack, we have already seen in that major
incident that nobody is talking about )-: where the bad guys actually
did apparently get access to the signing key (although the official
statement is that no malicious signed packages ever got out). That
resulted in the key being changed and all sorts of pain for every Fedora
user, so we all know about that one. But that sort of attack is
difficult to pull off undetected. An insider attack is much more likely
to result in wide distribution of a malicious package before it is
detected.

--Greg


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux