[Fwd: Re: How secure is Preupgrade? Answer: Not.]
Björn Persson
listor3.rombobeorn at tdcpost.se
Thu May 22 00:54:35 UTC 2008
Will Woods wrote:
> Preupgrade is currently designed to be exactly as secure as an anaconda
> http install. No less, no more.
But it's not being marketed as an alternative to an Anaconda HTTP install with
less downtime as the only improvement. It's being marketed as a safer
alternative to a live upgrade with Yum, and as a faster, more convenient and
less bandwidth-wasting alternative to downloading and burning DVD images. See
this article for example:
http://www.redhatmagazine.com/2008/04/15/interview-fedora-developers-seth-vidal-and-will-woods/
The article talks a lot about how Preupgrade is better than both a Yum upgrade
and a DVD-based upgrade, but says very little about network-based Anaconda
upgrades, and it's completely silent about the security aspect. Here's a
quote from the article:
"So you can upgrade with the convenience and bandwidth savings of a live
upgrade, but without the risky craziness inherent therein."
Yeah, it avoids the risky craziness inherent in a Yum upgrade but adds instead
the crazy riskiness inherent in an HTTP-based Anaconda upgrade. That's no
improvement in my book. No matter what the risks with a Yum upgrade are,
getting intruders in my computer is worse.
> Nothing's *missing*. There just aren't any signatures to check for the
> boot images, and there never have been.
For several years now, all my boot images have been included in ISO images.
Those ISO images have been accompanied by checksum files, and those checksum
files have been cryptographically signed. I always verify the signature and
the checksums, and when they're verified correctly I know that all the files
in the ISO image are clean, including the boot images.
Generating detached signatures for the boot images and putting them in the
directory where the images are published would take at most five minutes of
manual work for each release.
> Furthermore anaconda doesn't check the gpg signatures of packages it
> downloads and installs during http installs. Never has. That's bug #998.
> (Yes, #998. Not a typo. See https://bugzilla.redhat.com/998)
Would you like to guess why I never do network-based installs except from my
own server directly attached with a crossover cable?
Björn Persson
More information about the fedora-list
mailing list