Deltarpm *not* ready for new RPM checksums (was Re: Ready for new RPM version?)
Jonathan Dieter
jdieter at gmail.com
Sat Apr 18 15:49:45 UTC 2009
On Sat, 2009-04-18 at 16:56 +0200, Till Maas wrote:
> This is what I know and hope is true: The deltarpm tools are only used to
> regenerate the original rpms instead of downloading then. Therefore they still
> need to pass all verification that yum or rpm do, e.g. checking the gpg
> signature. Therefore an attacker needs access to the signing keys to create a
> malicous deltarpm that has a real security impact.
Exactly. The md5 checksum in the deltarpm functions as just that, a
checksum against accidental corruption. The security check comes from
the gpg signature after the rpm has been regenerated.
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20090418/4d2ea603/attachment.bin
More information about the devel
mailing list