On Sat, 2009-04-18 at 16:56 +0200, Till Maas wrote: > This is what I know and hope is true: The deltarpm tools are only used to > regenerate the original rpms instead of downloading then. Therefore they still > need to pass all verification that yum or rpm do, e.g. checking the gpg > signature. Therefore an attacker needs access to the signing keys to create a > malicous deltarpm that has a real security impact. Exactly. The md5 checksum in the deltarpm functions as just that, a checksum against accidental corruption. The security check comes from the gpg signature after the rpm has been regenerated. Jonathan
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
