Fedora still doesn't sign its repo data?
Joonas Lehtonen
joonas.lehtonen at bitmessage.ch
Sat Aug 16 22:20:26 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
over five years ago vulnerabilities in Fedora's (and others) package
managers [1] have been presented at USENIX.
And even though yum supports repo_gpgcheck since 2008 [2]
Fedora still does not make use of it to protect the repo metadata.
Are there specific reasons why Fedora still does not sign its repo
metadata to prevent metadata manipulation attacks (i.e. "hiding" updates)?
The LWN article from 2009 somehow hinted that it was about to be
enabled in Fedora 11? [1]
I filed a bug against fedora-release (covering the missing
repo_gpgcheck in fedora.repo) [3].
Which component would I file the missing repomd.xml.asc (on fedora's
repositories) against?
thanks,
Joonas
[1] https://lwn.net/Articles/327847/
[2] http://lists.baseurl.org/pipermail/yum-devel/2008-August/005350.html
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1130491
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJT79kqAAoJEG58zmw5nc+vZuMQAMuTNEiZjTvXo6tuefihpNOc
fJgEC2dWPQIMA8U88qVLFoIYASYxhj4zFsl50zYZRk7LK7gPp/j6RDOOhSBpeDU2
FZ1hPcln2S3KFkspqyv9I3is+DeHK6+KHMy8YOvHhtpQfO1wCnGUGsrqamQPDkqf
onAbSVBOx5WHf5qKnO5hJbmJMsJduhHb4KCCw1+w4Cdi6tyTbQ3bPRzCFSL9/Rb4
cPNIrpzyU/JYi8hn1zM5locjxG19tmkeP+NCBvF0YAwUo7YVksbZBm7wD+xDhwK6
fMLQ7VOvSMsH6PywexuqnwUMnaFgzsGQXsNOrKLDluJEIECN4L/KETfFXROFSNNR
nJtr9NBJqowB64SY4LF+qjuOkE+cGgTRSBmMqXK2yyr6B9j52Eovak/N2LnHlK3J
mJi/6yEvDTv2/APWnCeAW9PUsyuI5hobOulmrthQdYO42O9TgCG4/+5LC2HP/GU7
O6y23xrZs3Fz6EkTdy81KWNh8wtOa6xjSedlWiRZGgiAiDAGhV/HoK1Ttju+bmI/
seRcY+Im7RC495ZmHQmgJCcm0XvDQ7ZtMrMs3dH3qRv8Ztez4XO7+iwtL33JxIa/
AqD2vdhdB0CZ5y2YVfgDCwjjVCVv0NTPy39PMc+WhqP3x1YuTv7AjclnXrMEqj1f
XjI3jPsMikvGq0mFc+O+
=ZsKM
-----END PGP SIGNATURE-----
More information about the users
mailing list