[Fwd: Re: How secure is Preupgrade? Answer: Not.]

Björn Persson listor3.rombobeorn at tdcpost.se
Thu May 22 00:54:35 UTC 2008 

Will Woods wrote:
> Preupgrade is currently designed to be exactly as secure as an anaconda
> http install. No less, no more.

But it's not being marketed as an alternative to an Anaconda HTTP install with 
less downtime as the only improvement. It's being marketed as a safer 
alternative to a live upgrade with Yum, and as a faster, more convenient and 
less bandwidth-wasting alternative to downloading and burning DVD images. See 
this article for example:

http://www.redhatmagazine.com/2008/04/15/interview-fedora-developers-seth-vidal-and-will-woods/

The article talks a lot about how Preupgrade is better than both a Yum upgrade 
and a DVD-based upgrade, but says very little about network-based Anaconda 
upgrades, and it's completely silent about the security aspect. Here's a 
quote from the article:

"So you can upgrade with the convenience and bandwidth savings of a live 
upgrade, but without the risky craziness inherent therein."

Yeah, it avoids the risky craziness inherent in a Yum upgrade but adds instead 
the crazy riskiness inherent in an HTTP-based Anaconda upgrade. That's no 
improvement in my book. No matter what the risks with a Yum upgrade are, 
getting intruders in my computer is worse.

> Nothing's *missing*. There just aren't any signatures to check for the
> boot images, and there never have been.

For several years now, all my boot images have been included in ISO images. 
Those ISO images have been accompanied by checksum files, and those checksum 
files have been cryptographically signed. I always verify the signature and 
the checksums, and when they're verified correctly I know that all the files 
in the ISO image are clean, including the boot images.

Generating detached signatures for the boot images and putting them in the 
directory where the images are published would take at most five minutes of 
manual work for each release.

> Furthermore anaconda doesn't check the gpg signatures of packages it
> downloads and installs during http installs. Never has. That's bug #998.
> (Yes, #998. Not a typo. See https://bugzilla.redhat.com/998)

Would you like to guess why I never do network-based installs except from my 
own server directly attached with a crossover cable?

Björn Persson

More information about the fedora-list mailing list