On Thu, 5 Aug 2010, Till Maas wrote: > On Thu, Aug 05, 2010 at 01:11:24PM -0600, Kevin Fenzi wrote: > > On Wed, 04 Aug 2010 22:03:14 +0200 > > Till Maas <opensource@xxxxxxxxx> wrote: > > > > The attack is quite trivial: > > > 1) clone the git pkg Fedora repos > > > 2) commit some nasty change > > > 3) publish the repo on some server > > > 4) if the victim wants to fetch from the Fedora pkg repo, use the MITM > > > attack to make him fetch from the server set up in step 3. Steps 1-3 > > > can obviously be done on-demand. > > > > > > If this is e.g. done on a conference / FUDCon / Fedora Action Day, the > > > attack can easily targeted to make the change in step 2 be expected to > > > be fast forward. E.g. if packages simply need to be bumped for a > > > rebuild, a upload of a bad tarball and modification of the sources > > > file might be unnoticed. > > > > Just to clarify, as this is a long thread: > > > > This only works if people are using git:// urls, not the default for > > fedora ssh: ones, right? (provided you have connected before to > > pkgs.fedoraproject.org and have the known_hosts entry?) > > Yes ssh is secure if used properly. To get the proper known_hosts entry, > one has to download https://admin.fedoraproject.org/ssh_known_hosts btw. > We also use SSHFP records for those of you that want to enable VerifyHostKeyDNS yes in their ~/.ssh/config files. Not all of our hosts have it but many of our 'user' based external hosts do (pkgs, fedorapeople, fedorahosted, etc) -Mike -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
