RPM: signing uncompressed data instead of signed data?

Michael Schroeder mls at suse.de
Thu Nov 11 15:40:13 UTC 2010


On Thu, Nov 11, 2010 at 10:17:57AM -0500, Andre Robatino wrote:
> I realize there's a lot of stuff sitting on top of RPM that depends on
> how it works currently, but in terms of correctness, it still seems to
> me to make more sense to sign the uncompressed data, since that's what
> actually gets used, and it would avoid issues like
> https://fedorahosted.org/rel-eng/ticket/4224 which will have to be dealt
> with periodically as long as compression continues to improve. So let me
> rephrase the question: in an alternate universe where RPM was originally
> designed to sign the uncompressed data, and the higher-level tools were
> subsequently designed to work with that, is there any fundamental reason
> why things would be worse (or better) than they are now?

Securitywise ist would be a bit worse, because the decompression
libraries may contain exploitable bugs, so checking the
signature of a rpm might be already a dangerous operation.

(But most repositories nowadays already contain checksums over
the complete rpm, and most people trust repositories, not
individual rpms.)

Cheers,
  Michael.

-- 
Michael Schroeder                                   mls at suse.de
SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}


More information about the devel mailing list