Re: Up2date and SysAdmin auth.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: fedora-list@xxxxxxxxxx
Subject: Re: Up2date and SysAdmin auth.
From: "William Hooper" <whooperhsd3@xxxxxxxxxxxxx>
Date: Mon, 9 Aug 2004 16:56:04 -0400 (EDT)
Importance: Normal
In-reply-to: <1092082173.29614.90.camel@lathe>
References: <[email protected]> <1092058251.29614.38.camel@lathe> <[email protected]> <1092082173.29614.90.camel@lathe>
Reply-to: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
User-agent: SquirrelMail/1.5.1 [CVS]

Scot L. Harris said:
[snip]
> 
> I will have to find some time to look at this.
> 
> 
> You have raised a very good question (which is actually about fedora of
> all things!)
> 
> Just how secure is the update process used by fedora?  I don't think any
> encryption is used for the transfer of packages, nor do I believe 
> certificates to validate the repository.

The RPMs are signed with the Fedora GPG key.  If you choose to configure your system to not check it, then you might have a problem.
 
> So the weak points in the update process are:
> 
> 
> 1. repository compromise
> 2. session hijacking
> 3. packet injection/spoofing

All fixed by configuring up2date and/or yum to verify GPG signatures.

-- 
William Hooper

Follow-Ups:
- Re: Up2date and SysAdmin auth.
  - From: Stanley Allely

References:
- Up2date and SysAdmin auth.
  - From: Stanley Allely
- Re: Up2date and SysAdmin auth.
  - From: Scot L. Harris
- Re: Up2date and SysAdmin auth.
  - From: Stanley Allely
- Re: Up2date and SysAdmin auth.
  - From: Scot L. Harris

Prev by Date: Re: scsi pci vs FC2?
Next by Date: sound autoplay on focus pb
Previous by thread: Re: Up2date and SysAdmin auth.
Next by thread: Re: Up2date and SysAdmin auth.
Index(es):
- Date
- Thread

[Index of Archives] [Current Fedora Users] [Fedora Desktop] [Fedora SELinux] [Yosemite News] [Yosemite Photos] [KDE Users] [Fedora Tools] [Fedora Docs]

Powered by Linux