On Sat, Nov 6, 2021 at 3:43 AM Daniel Alley <dalley@xxxxxxxxxx> wrote: > > > On Wed, Aug 11, 2021 at 10:03:50PM +0200, Marek Marczykowski-Górecki wrote: > > I do think we should drop drpms or make them more useful, but I don't > > think there's any security angle here. (see below) > > > > drpms work by downloading the delta, then using it + the version you > > have installed to recreate the signed rpm (just like you downloaded the > > full signed update) and then the gpg signature is checked of that full rpm, > > just like one you downloaded. If the drpm is tampered with it won't > > reassemble and it will fall back to the full signed rpm. > > Sorry to resurrect this thread. > > Another issue - which is not per-se a security issue but it's still a problem - is that deltarpm uses md5 checksums pervasively. They're everywhere. And it uses its own implementation of md5 which doesn't respect FIPS, so even when the user has *explicitly* configured their system to not use md5 for anything security-relevant, libdeltarpm won't know or care. This is not true with libdrpm though, and that version is what createrepo_c uses. That said, it *is* also possible to create DeltaRPMs separately from using createrepo_c, especially by building upon libdrpm, we just haven't done it. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
