Chris Adams wrote:
> Still using Token Ring because that evil random Ethernet could fail?
No (we're basically all being forced to use Ethernet, it's everywhere), but
Ethernet's design makes me feel extremely uncomfortable. Give it enough load
and it WILL break down under the collisions.
> How do you verify RPMs (or any other signed data for that matter)?
Hashes work for signatures because they only need to protect against
intentional collisions. But yes, they won't give you 100% certainty that the
package hasn't been tampered with, just strong evidence. (But that'd be the
case even if you sign the whole bytestream, since there's always the
eventuality that the attacker has secretly compromised the signature
algorithm or the signing key.) It's better to have 99.99999% certainty of an
untampered package than no certainty at all.
That said, I've installed enough stuff with no signature checking at all… In
fact, almost all of us did at some point, e.g. the first time you install a
third-party repository's *-release RPM, you can't check its signature.
(Well, you could download the key from the web page and check manually, but
how do you verify that the key you downloaded is the correct one?)
In addition, even packages legitimately signed by the repository could have
been compromised at some other point in the chain.
Signature mechanisms are NOT the perfectly tamper-proof protection they're
advertised as.
Kevin Kofler
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
