On Sat, 2021-11-06 at 07:43 +0000, Daniel Alley wrote: > > On Wed, Aug 11, 2021 at 10:03:50PM +0200, Marek Marczykowski- > > Górecki wrote: > > I do think we should drop drpms or make them more useful, but I > > don't > > think there's any security angle here. (see below) > > > > drpms work by downloading the delta, then using it + the version > > you > > have installed to recreate the signed rpm (just like you downloaded > > the > > full signed update) and then the gpg signature is checked of that > > full rpm, > > just like one you downloaded. If the drpm is tampered with it won't > > reassemble and it will fall back to the full signed rpm. > > Sorry to resurrect this thread. > > Another issue - which is not per-se a security issue but it's still a > problem - is that deltarpm uses md5 checksums pervasively. They're > everywhere. And it uses its own implementation of md5 which doesn't > respect FIPS, so even when the user has *explicitly* configured their > system to not use md5 for anything security-relevant, libdeltarpm > won't know or care. md5 used as a checksum to only detect network transmission issues is not a problem, and is not under the purview of the FIPS certification. As mentioned above the actual packages are still finally reassembled and the signature checked, so that is what matters in terms of security (those algorithms and computations need to be FIPS approved and the implementation certified). HTH, Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure