How secure is Preupgrade?
Björn Persson
listor3.rombobeorn at tdcpost.se
Tue May 20 00:49:14 UTC 2008
Rahul Sundaram wrote:
> Preupgrade is essentially a wrapper around yum.
OK
> Yum has gpg signature support
Yes. Otherwise I'd be very very worried, with all the updating that's going on
in Fedora.
> and it does check the keys used while building the packages when
> it is installing them by default just like it does on any regular
> installations or upgrades of packages.
I'm not sure what you mean here. I think you mean that Yum checks the packages
when it has downloaded them, so that when Preupgrade wants to reboot, all the
packages are known to be good. Is that right? (The "when it is installing
them" part seems to indicate, to the contrary, that the checking happens
during the upgrade, after the reboot.)
That still leaves the files in /boot/upgrade, which contain executable code
but which are not RPM packages. Did they come out of an RPM package whose
signature was checked? Were they checked against some detached PGP signatures
that I haven't found? Were they downloaded with HTTPS from a trusted server?
(Some random dude's mirror isn't necessarily trusted.) Or have they not been
checked at all? Signatures on all the packages don't help much if the kernel
itself is a Trojan horse, you know.
> Anaconda merely is picking up the
> updates from your local hard disk after preupgrade in combination with
> yum has downloaded them.
That's fine, if Yum has checked the files, but I'm told that Anaconda can also
download additional files on its own. Preupgrade told me "Not enough space
in /boot/upgrade to cache stage2.img. It will be downloaded once the
installer starts." Furthermore, someone wrote here in fedora-list that some
packages had been missing after the reboot into the installer system, despite
Preupgrade, and that those had been downloaded automatically during the
upgrade. These files must of course also be checked. Will stage2.img be
checked against some signature that is present in initrd.img? And does the
RPM in the installer system have the necessary keys to check the signatures
when Anaconda decides to download additional packages?
Björn Persson
More information about the fedora-list
mailing list