Re: yum/RPM and Trust on First Use

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




On 20/12/15 10:28, Gordon Messmer wrote:
> On 12/19/2015 09:49 AM, Alice Wonder wrote:
>>
>> With third party repositories the key and configuration file is often
>> distributed separately. That's the potential attack vector for trojan
>> keys.
> 
> Examples?
> 
> All of the notable repositories that I'm aware of publish an
> x-release.rpm that installs their key and yum repo file.  But if your
> concern is that users might manually install a repo file and public key,
> then I don't see how modifying yum would change that. The attacker would
> probably include a key that contains an address they control and
> validates properly against it.
> 
> In other words, I think the solution to the problem is simply to make
> sure that the repositories publish their "release" rpm over https and
> that documentation reflects the secure URL.  I notice now that EPEL
> links directly to the https URL for their release rpm, but their FAQ
> still provides a command-line example for installation using an http URL.
> 
> The FAQ should be updated.  That method is a potential security problem
> because it doesn't use https and doesn't check the package signature. 
> But the solution is simply to replace http with https in the FAQ.  yum
> isn't used to install the release package, and I think the solution is
> to make sure that malicious release packages don't get installed, not to
> try to behave well on a system where an attacker already installed
> malicious data.
> 

Unless I'm mistaken RPM in el5 does not support the https protocol.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux