Fedora still doesn't sign its repo data?
Kevin Fenzi
kevin at scrye.com
Sat Aug 16 23:00:48 UTC 2014
On Sat, 16 Aug 2014 22:20:26 +0000
Joonas Lehtonen <joonas.lehtonen at bitmessage.ch> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> over five years ago vulnerabilities in Fedora's (and others) package
> managers [1] have been presented at USENIX.
>
> And even though yum supports repo_gpgcheck since 2008 [2]
> Fedora still does not make use of it to protect the repo metadata.
>
> Are there specific reasons why Fedora still does not sign its repo
> metadata to prevent metadata manipulation attacks (i.e. "hiding"
> updates)? The LWN article from 2009 somehow hinted that it was about
> to be enabled in Fedora 11? [1]
It's logistically difficult to sign the repodata... but of course it
could be done.
Many, if not all of the things they mention (I can't seem to find a link
to the orig USENIX pdf thats still valid to be sure) were fixed by us
moving to using metalinks by default.
The metalink is fetched over https and the ssl certs are checked.
The metalink has checksums of the current and previous repodata only.
If the mirror doesn't have either of those, it's skipped.
At least I can't off hand think that any of the items they mention not
being taken care of by metalinks, but perhaps I missed something. ;)
> I filed a bug against fedora-release (covering the missing
> repo_gpgcheck in fedora.repo) [3].
> Which component would I file the missing repomd.xml.asc (on fedora's
> repositories) against?
Release engineering trac instance I suppose...
https://fedorahosted.org/rel-eng/
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20140816/5c23993a/attachment.sig>
More information about the users
mailing list