Deltarpm *not* ready for new RPM checksums (was Re: Ready for new RPM version?)

Jonathan Dieter jdieter at
Sat Apr 18 15:49:45 UTC 2009

On Sat, 2009-04-18 at 16:56 +0200, Till Maas wrote:
> This is what I know and hope is true: The deltarpm tools are only used to 
> regenerate the original rpms instead of downloading then. Therefore they still 
> need to pass all verification that yum or rpm do, e.g. checking the gpg 
> signature. Therefore an attacker needs access to the signing keys to create a 
> malicous deltarpm that has a real security impact.

Exactly.  The md5 checksum in the deltarpm functions as just that, a
checksum against accidental corruption.  The security check comes from
the gpg signature after the rpm has been regenerated.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the fedora-devel-list mailing list