RPM security (a newbie question)
"Stanisław T. Findeisen"
sf181257 at students.mimuw.edu.pl
Thu Apr 2 10:48:21 UTC 2009
Todd Zullinger wrote:
> By policy, there are things that rpm scriptlets should not do. But if
> you created an rpm which had a %post section containing rm -rf /, rpm
> would run it AFAIK.
Oh! 8-O
>> I wonder how easy it is to create a rootkit/trojan horse/whatever
>> and get it loaded on Fedora users' computers.
>
> You would need to create a trojan package and get it onto the mirrors,
> signed by the Fedora package signing key for a particular release.
> This is not an easy task
Really? Have you seen a list telling you who reviewed which package
before it got signed with Fedora key?
Probably there are lots of packages reviewed by their authors only?
STF
=======================================================================
http://eisenbits.homelinux.net/~stf/
OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062
=======================================================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090402/d4a0002c/attachment-0001.sig>
More information about the fedora-list
mailing list