On Sat, 16 Aug 2014 22:20:26 +0000 Joonas Lehtonen <joonas.lehtonen@xxxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > over five years ago vulnerabilities in Fedora's (and others) package > managers [1] have been presented at USENIX. > > And even though yum supports repo_gpgcheck since 2008 [2] > Fedora still does not make use of it to protect the repo metadata. > > Are there specific reasons why Fedora still does not sign its repo > metadata to prevent metadata manipulation attacks (i.e. "hiding" > updates)? The LWN article from 2009 somehow hinted that it was about > to be enabled in Fedora 11? [1] It's logistically difficult to sign the repodata... but of course it could be done. Many, if not all of the things they mention (I can't seem to find a link to the orig USENIX pdf thats still valid to be sure) were fixed by us moving to using metalinks by default. The metalink is fetched over https and the ssl certs are checked. The metalink has checksums of the current and previous repodata only. If the mirror doesn't have either of those, it's skipped. At least I can't off hand think that any of the items they mention not being taken care of by metalinks, but perhaps I missed something. ;) > I filed a bug against fedora-release (covering the missing > repo_gpgcheck in fedora.repo) [3]. > Which component would I file the missing repomd.xml.asc (on fedora's > repositories) against? Release engineering trac instance I suppose... https://fedorahosted.org/rel-eng/ kevin
Attachment:
signature.asc
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
