On Sun, 27 Apr 2014 17:36:57 -0700 quickbooks office <quickbooks.office@xxxxxxxxx> wrote: > If the packages in Rawhide are not signed aren't rawhide users > vulnerable to man-in-the-middle attacks? Well, not trivially in the default configuration. By default, yum is set to get a metalink from mirrormanager via https. In this metalink is a list of mirrors and checksum of the repomd.xml file. I haven't tested for sure, but if the ssl cert doesn't validate, I think yum will error out here. If you are using a dnssec enabled resolver, you will be sure to get the right host. Next it goes to the first mirror in the list and gets the repomd.xml file (usually via http). However, if the file doesn't match the checksum, it will not use it and try the next mirror. Next it gets the other repomd files it needs, but they are all checked against checksums in the repomd.xml file and if tampered with yum won't use them. Those files include the primary one that has sha256sums for all packages. If a downloaded package doesn't match the checksum it will think it has a bad download and not continue. > Worse it also allows mirrors to send out malicious packages to certain > users, as the package will not be checked by the end user? At least using the metalink, yum should see the checksum on this package doesn't match and assume it was corrupt. > I really think all the packages in Rawhide should be signed before > being pushed out the end user. If it was simple to do we would have done it. ;) See Bruno's link to the releng ticket discussing this... kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
