On 3/6/22 18:10, John Reiser wrote:
> I have also strongly disliked deltarpms. They very rarely help and
> significantly increase attack surface.
If deltarpm succeeds and both the old .rpm and the new.rpm are signed,
then how is the attack surface larger, as long as any consumer
verifies the signature?
This assumes that deltarpm (the program) does not contain any security
flaws of its own, which could allow for code execution while the
deltarpm is being applied. This is a bad assumption: a cursory audit
I did found that it is not designed with untrusted input in mind.
The code is also quite hard to follow, which makes auditing it quite
difficult. Finally, it exposes decompression libraries to untrusted
input before signature verification, and it itself has at the very
least several areas where a bad deltarpm could cause it to allocate
gigabytes of RAM.
--
Sincerely,
Demi Marie Obenour (she/her/hers)