* Jason L. Tibbitts, III: >>>>>> "FW" == Florian Weimer <fweimer@xxxxxxxxxx> writes: > > FW> At one point, there was a verified hash chain from the https:// > FW> metalink service, to the repository metadata, down to individual > FW> packages. Any tampering was detected then. > > I understand that the metalink contains enough information to verify the > returnes repomd.xml files, but I guess I don't really know if there's > enough data to chase that down to the checksum of every file that's ever > expected to be on a mirror. repomd.xml has hashes for primary.xml etc., and primary.xml contains digests of the RPM files. In theory, it can all be checked. At one point, RPM wrote unchecked file contents to disk, leading to vulnerabilities such as CVE-2013-6435. At the time, it was not possible to teach RPM to verify the data before writing it. > If it is, then great, though signatures still have value because there > are other ways to get RPMs than letting dnf hit the mirror network. I think dnf only performs signature checking if the RPMs are downloaded from repositories. Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
