On Wed, Aug 11, 2021 at 10:03:50PM +0200, Marek Marczykowski-Górecki wrote: > Hi all, > > I think deltarpm is not really useful anymore: > - there are very few drpm files in the repository, see for example: > https://download.fedoraproject.org/pub/fedora/linux/updates/34/Everything/x86_64/drpms/ > https://download.fedoraproject.org/pub/fedora/linux/updates/33/Everything/x86_64/drpms/ > - those that actually are there, are mostly about small packages anyway > - personally, I haven't seen it being used for a long time > - there is also argument that people's connection bandwidth nowadays > tends to be fast enough to make the package rebuilding actually > slower than downloading the whole package (but that really vary between > different installations) Yeah. ;( > - and most importantly: drpm files are - by design - processed before > checking the package signature, which exposes rather big attack > surface(*) Thats not the case. > Can deltarpm be disabled by default? In the few cases where it's > actually useful (if there are any...), user is free to enable it, but > the default would be significantly more secure this way. I do think we should drop drpms or make them more useful, but I don't think there's any security angle here. (see below) > > (*) it is integrity protected via a hash in the repository metadata, but > repository metadata in Fedora are still not signed - so this all heavily > depends on the integrity of the [HTTPS connection to] > mirrors.fedoraproject.org server (or any of CAs trusted by the system) - > a rather fragile single point of failure. drpms work by downloading the delta, then using it + the version you have installed to recreate the signed rpm (just like you downloaded the full signed update) and then the gpg signature is checked of that full rpm, just like one you downloaded. If the drpm is tampered with it won't reassemble and it will fall back to the full signed rpm. Additionally, fedoraproject.org has dnssec enabled, so if you are worried, do enable that to avoid hyjacking. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
