On Thu, 2003-10-30 at 14:05, Robert G. Brown wrote: > Seth is actually an alien creature originally from a small planet > orbiting Arcturus. If one surprises him unawares, he is often muttering > something about a place named "R'Lyeh" and some dude named "Ktooloo". > He is disguised as an Albanian terrorist, disguised as a systems > programmer, seeking to take control of all the computers on the planet > that matter (all of the ones running linux). You forgot to mention that he paints really scary pictures in his basement studio :-) > > Alternatively, rpm signing could be enabled instead: > > * run "gpg --install /usr/share/rhn/RPM-GPG-KEY" > > * have the yum.conf file always set gpgcheck=1 > > This would at least ensure that if a cracker installed a trojan in the > > duke yum repository, it would be rejected due to invalid signature. > > Maybe. I personally wouldn't trust gpg checking all that far as this > also involves one in loops of trust and who you gonna trust to tell you > who NOT to trust (and with what tools). I don't understand. By adding the RedHat public key to my keyring, and setting gpgcheck=1 in my yum.conf file for each source of rpms, **only** packages issued by RedHat's team will ever be installed. Someone can crack redhat, fedora, or any other rpm mirror, and I don't care. Only if someone steals RedHat's private key do I need to worry. No matter how many repositories I point my yum.conf at, the signature on every RPM is checked before installation. And due to the magic of public key cryptography, no-one can fake a RedHat signature. So *my* servers are very safe. Ok, I can't distribute rpms from non-redhat builders to my servers; for that I need to either install the public key of the builder, or figure out how to "resign" the rpms with my key (and add my public key to the keyring on each server). Any hints on how to do resigning are welcome... The problem with the current yum installation is that users with less than my level of paranoia are open to cracking. And Magnus Hedemark says in another reply on this thread that the duke servers are under heavy load, so more mirrors may be added to the default config file. In that case, "normal" users will then be trusting the security not only of the Duke servers, but all other servers. One mistake, or one evil junior sysadmin, and Microsoft will have a ball with the resulting publicity. In fact, the current approach really reminds me of Microsoft's approach to security: convenience first, safety later. I would prefer to see systems which are secure by default, with users *deliberately* having to weaken security if they want more convenience. This is nothing to do with yum as a tool; yum is cool. It is all to do with what yum-xxxx.rpm does in terms of reconfiguring the local machine when it is installed. > > In my direct experience there is no such thing as secure, only varying > degrees of risk that have to be weighed against the benefits associated > with different choices. For example, you could set up a twinned mirror > (with gpgchecking and all) but insert a one week lag between the > appearance of a new package and your making it available in your > repository for client updates. This gives egregiously trojanned glibc's > time to surface among the systems of risk-takers who installed it right > away (so you can avoid it, maybe) at the expense of increasing the > window of opportunity that exists when a critically patched rpm is > delayed. If all servers running the yum client app insist on rpms being signed by trusted parties whose public keys are installed into their local keyring, then there is no need for any of this; the rpms have a guaranteed trusted source. No trojans allowed. NB: I am running yum-1.0.3 on RH8. My apologies if some/all of this is not relevant to the latest versions of yum. Regards, Simon
