Deltarpm *not* ready for new RPM checksums (was Re: Ready for new RPM version?)
Till Maas
opensource at till.name
Sat Apr 18 14:56:33 UTC 2009
On Sa April 18 2009, Axel Thimm wrote:
> On Tue, Mar 10, 2009 at 07:52:32PM +0200, Jonathan Dieter wrote:
> > On Tue, 2009-03-10 at 19:41 +0200, Jonathan Dieter wrote:
> > > Ok, I've been trying this, but how can we tell if the sequence is
> > > sha256 or md5 if we're *just* given the sequence (i.e. applydeltarpm -c
> > > -s audit-libs-1.7.12-1.fc11-04548395de7d18795d88b32ea98897e90140 where
> > > it's a sha256 sequence)?
> >
> > Ok, I've got it. We just check against md5 first, then sha256 if md5
> > doesn't match. It's not elegant, but it should work fine, especially
> > since we're only checking for verification, *not* security.
> >
> > Jonathan
>
> Sorry for jumping in that late, but assuming a malicious deltarpm that
> could fake a matching md5 sum to pass validation, wouldn't it get
> applied and make that a security issue?
This is what I know and hope is true: The deltarpm tools are only used to
regenerate the original rpms instead of downloading then. Therefore they still
need to pass all verification that yum or rpm do, e.g. checking the gpg
signature. Therefore an attacker needs access to the signing keys to create a
malicous deltarpm that has a real security impact.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090418/4bac9b62/attachment.sig>
More information about the fedora-devel-list
mailing list