Deltarpm *not* ready for new RPM checksums (was Re: Ready for new RPM version?)
jdieter at gmail.com
Sat Apr 18 15:49:45 UTC 2009
On Sat, 2009-04-18 at 16:56 +0200, Till Maas wrote:
> This is what I know and hope is true: The deltarpm tools are only used to
> regenerate the original rpms instead of downloading then. Therefore they still
> need to pass all verification that yum or rpm do, e.g. checking the gpg
> signature. Therefore an attacker needs access to the signing keys to create a
> malicous deltarpm that has a real security impact.
Exactly. The md5 checksum in the deltarpm functions as just that, a
checksum against accidental corruption. The security check comes from
the gpg signature after the rpm has been regenerated.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 197 bytes
Desc: This is a digitally signed message part
More information about the fedora-devel-list