List Info

Thread: Possible exploit within yum and other depsolversthat disable header-only signature checking.
Possible exploit within yum and other depsolversthat disable header-only signature checking.
user name
 2006-08-28 13:27:10 
> > > yum trusts that the rpm maintainers are going
to do the right
> > > thing. In
> > > much the same way that rpm trusts that glibc
or sleepycat will do
the
> > > right thing.
> > >
> > > Maybe that's too trusting. 
> > >
> >
> > And perhaps trusting that yum and anaconda and
rpm-python
maintainers
> > will react seriously to reported defects is far
too trusting as
well.
> >
> > FWIW, I just checked with Gustavo that smart is
using ts.hdrFromFdno
> > (), which *WILL*
> > verify header-only signatures and digests when
available.
> >
> > Too bad for yum.
> 
> Doing the right thing in this case is deprecating the
other paths and
> making sure to document the better paths.
> 
> I guess I was expecting too much from rpm.
>
Not necessarily (but maybe so).  Again, there could be
someone that
decides for their own reasons within their own software to
handle the
signature stuff themselves (perhaps within their own
network).  Your
wanting RPM to paternalize...no offense but you can pay for
that sort of
treatment...james

_______________________________________________
Rpm-devel mailing list
Rpm-devellists.dulug.duke.edu
https://lists.dulug.duke.edu/mailman/listinfo/rpm-devel
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )