> What I am concerned about is RPM dependencies. If rpm headers and dependency > lists are not signed and attacker could gain access to the repodata, would it > be possible to fake dependencies? Or does yum check dependencies based on the > real RPMS? yum does a final depcheck with the real rpms. > Is the following scenario possible with yum-arch or createrepo and yum: > - User updates his/hers system automatically from cron (yum -y update) > - Yum does gpgcheck > - System does not have openssh-server installed > - Attacker gains access to the yum repository or hijacs the connection to the > yum repository > - New official update is released, let's say kde-3.4 > - Attacker forges kde-3.4 header to have dependency to openssh-server > - Yum installs openssh-server when kde-3.4 is updated forging the header is actually harder than you'd expect, considering that the headers are pulled directly from the rpm in yum 2.1.X There are other ways you could mess with a machine with forged repodata. I think the repodata should be signed. But we'll need a good way to check a sig on the metadata and, of course, those sigs will need to be stored in a normal gpg key ring, not in the rpmdb. -sv
