status of up2date and rhn-applet

Michael Wiktowy mwiktowy at gmx.net
Sun Nov 27 20:20:36 UTC 2005 

On Sun, 2005-11-27 at 10:05 -0500, seth vidal wrote:
> > Handling it like the key checking that ssh does (with a warning and an
> > option to continue) might be the way to go.
> 
> yum does that now. It asks you if you want to import the key and you
> have to press y or n.

Not quite what I was referring to. I am talking about long after you
have accepted a key initially and the key is added to your
~/.ssh/known_hosts file. The check that I refer to is the one where the
host presents a key and you have a different one in the known_hosts file
for that host. ssh complains *very* loudly and gives a clear indication
why this is an issue (MITM attack).

> > It would prevent some widespread trojan installation possible by a
> > popular third-party repo's key getting compromised, malicious repo
> > owners and possible future repo slap-fights.
> 
> the only thing that will prevent that is if users wisen up about what
> they're doing. It's the same thing as what protects them from sending
> their CC to a nefarious site or one unprotected by encryption. They have
> to be aware of what's going on around them.

Undoubtedly wise users would be desired (so would money growing on
trees). However, even the wisest user would have to pay very close
attention to prevent a repo from swapping out its yum.repos.d file
(something that might be expected from repos that maintain rpms
containing those config files and are updating their mirrors lists,
etc.) with one that had a [base] or [extras] stanza in it (something
that would be invisible and make future meddling next to invisible).

Security being a multi-layered thing, what I am suggesting is that, on
top of wizening the users as you suggested, giving the foolish users
clear indication that something nasty is amiss is desirable.
 
> > It seems that right now, some owner of pooptastic-updates can offer up
> > the wonderful superfoo package, convince some users to install their
> > pooptastic.repo containing a URL to the pooptastic.key. At that point,
> > they could replace any package on your system at update time with little
> > indication to the user.
> 
> If they already agreed to import the key, yes.

rpm -qai gpg-pubkey*
indicated 10 keys from various repos and developers that I have
installed packages from in the past. You are saying that any one of
those key owners can freely replace any package on your system with
little indication to the user that this is being done. That makes me
want to use rpm -i --nosignature rather than yum for small independent
developers offering yum repos of their stuff to prevent them from
getting inside that wall where no subdivisions exist; which kind of
detracts from the usefulness of yum.

/Mike

More information about the devel mailing list