On Sat, 16 Aug 2014 22:20:26 +0000
Joonas Lehtonen <joonas.lehtonen(a)bitmessage.ch> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
over five years ago vulnerabilities in Fedora's (and others) package
managers [1] have been presented at USENIX.
And even though yum supports repo_gpgcheck since 2008 [2]
Fedora still does not make use of it to protect the repo metadata.
Are there specific reasons why Fedora still does not sign its repo
metadata to prevent metadata manipulation attacks (i.e. "hiding"
updates)? The LWN article from 2009 somehow hinted that it was about
to be enabled in Fedora 11? [1]
It's logistically difficult to sign the repodata... but of course it
could be done.
Many, if not all of the things they mention (I can't seem to find a link
to the orig USENIX pdf thats still valid to be sure) were fixed by us
moving to using metalinks by default.
The metalink is fetched over https and the ssl certs are checked.
The metalink has checksums of the current and previous repodata only.
If the mirror doesn't have either of those, it's skipped.
At least I can't off hand think that any of the items they mention not
being taken care of by metalinks, but perhaps I missed something. ;)
I filed a bug against fedora-release (covering the missing
repo_gpgcheck in fedora.repo) [3].
Which component would I file the missing repomd.xml.asc (on fedora's
repositories) against?
Release engineering trac instance I suppose...
https://fedorahosted.org/rel-eng/
kevin