On Wed, 2007-08-22 at 13:13 -0800, Jeff Spaleta wrote: > On 8/22/07, David Zeuthen <davidz@xxxxxxxxxx> wrote: > > Assume that Alice gets Fedora from Mallory's mirror. What prevents > > Mallory from patching the rpm and yum programs that end up on Alice's > > system to avoid honoring the keys that we, painfully, make her import? > > would signing our mirror metadata help? Hmm... Lets say someone is doing a MITM attack on your yum mirrors (probably by replacing the mirrorlist with a list of their servers, or using DNS tricks to point everything to them). What can they do? They can certainly hide updates, giving you an outdated view of the repo so you don't get any security updates. Anything else? Anyway, I think every file on the mirrors should be signed somehow, and everything downloaded by yum, Anaconda or the bootstrap code on boot.iso and all the other ISOs should be checked against against a public key included on the boot media. So basically, if you have a trusted CD containing boot.iso, your install would potentially be totally secure. Btw, RHEL should do this too, because both with RHEL and Fedora, if you do an FTP install, there's no verification of the packages, AFAICT. With RHEL, you might have an internal FTP server with the extracted OS distribution, but you're still assuming that your network is secure, which is something you should always avoid doing. > would importing the provided keys at install time help? > (We have to assume the install media is trusted) I think the installer should be free to rpm --import anything it puts in /etc/pki, but it probably does not make sense to import rawhide keys etc. /abo -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
