On 1/28/22 10:48, Vitaly Zaitsev via devel wrote: > On 28/01/2022 16:40, Demi Marie Obenour wrote: >> sometimes disabled for security reasons. > > Can you elaborate what do you mean by "security reasons"? deltarpm’s integration into DNF is poorly designed: deltarpms are processed before verifying any cryptographic signatures. That means that a vulnerability in deltarpm could allow for remote code execution as root. While I am not aware of any such vulnerabilities, I also do not have strong evidence that there are none. Therefore, disabling deltarpm is useful attack surface reduction. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
