Re: status of up2date and rhn-applet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2005-11-26 at 22:59 -0500, Jeff Spaleta wrote:
> In any event, once a package leaves a repository, there is no way to
> know eaactly which repo it came from.  You can't really trust the
> reponame as defined in the config, I could rename updates-released 
> pooptastic-updates in the yum config and that name would have no
> meaning to anyone else. Signing keys you can somewhat trust to be
> authorative and unique, but signing keys are not unique per repository
> tree. You can't know that a package came from updates-testing versus
> updates-released based just on the package signatuire.

Checking key consistency is a worthwhile check and likely a more
important check than source repo anyways. It doesn't matter to me where
a package comes from so long as I have the repo in my repo.d and it is
signed by someone I trusted for that package previously.

Handling it like the key checking that ssh does (with a warning and an
option to continue) might be the way to go.
It would prevent some widespread trojan installation possible by a
popular third-party repo's key getting compromised, malicious repo
owners and possible future repo slap-fights.

It seems that right now, some owner of pooptastic-updates can offer up
the wonderful superfoo package, convince some users to install their
pooptastic.repo containing a URL to the pooptastic.key. At that point,
they could replace any package on your system at update time with little
indication to the user.

Is this correct?

/Mike

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux