On Wed, 15 Jan 2003, Michael A. Peterson wrote: > May I suggest that yum checks that the downloaded header file is not just > a 404 error from the web server? :) Certainly -- lots of good coding parctice options exist -- also check that size is non-zero; and here, that the gzip CRC checksum is intact, and later, that the header has all four fields of another version. We are spoiled by the robustmess of the internet as a transport, when stuff mostly works. But there are evil people out there, and yum headers are not GPG signed -- It seems there are possibilities for exploits which could be forged and pushed out if a yum mirror were compromised, and cleverly written rogue content .hdr's were substituted; as was the case with the tcpdump, and sendmail mirrors in recent months ... a good gzip checksum should be trivial to forge -- maybe more is needed to confirm the 'goodness' of a header still. Food for thought. One of the things that drives me nuts on python is that it is so direct in pointing out (via stack traces) that one has not checked all return codes. <smile> -- Russ Herrold
