Björn Persson wrote:
I went ahead and read the code. I found out that the kernel and ramdisk images
in /boot/upgrade are *not* extracted from any PGP-signed package. They are
downloaded one by one, apparently from one of the mirrors
in "installmirrorlist".
I also found these comments:
# FIXME - check the packages? Durrrrrrrrrrrr
# TODO: gpgcheck downloaded pkgs
# File exists and it's the right size.. guess it's probably OK
# We should be doing some integrity checks but we don't have
# anything to check it against - la la la la
The last one talks about the kernel and ramdisk images.
So no check is performed on the installer kernel before it's booted, no check
is performed on the installer's root filesystem before the programs therein
are executed, and the packages aren't checked either – at least not while the
trusted, already installed OS still has control.
I've got my answer: Preupgrade is not secure. I'll continue upgrading the way
I've done it before – either with Yum or from a DVD image on a USB stick.
Rahul Sundaram wrote:
gpg check is during the installation/upgrade phase.
That would be OK if the installer itself were checked before it's booted, but
since the installer is completely unchecked it can't be trusted to check
anything.
That still leaves the files in /boot/upgrade, which contain executable
code but which are not RPM packages. Did they come out of an RPM package
whose signature was checked?
They are.
As I wrote above, that turns out not to be the case.
Yes but more questions about internal details on how it all works can be
either posted to fedora-devel list or anaconda-devel list. There might
be things folks have missed in the process.
The comments in the code show that the authors already know they "missed" all
the signature checking.
Björn Persson
Well considering that i just did an upgrade to my x86_64 using
preupgrade this is bad news indeed but at least you though to ask the
question. Thanks!! We should avoid taking things for granted especially
when we the resources to verify are available. AHHHH the sweet smell of
open source. I am willing to be a guinea pig if one is needed because:
1. a useful tool is hard to find 2. it worked well for me (I haven't
noticed any glitches that everyone else isn't having) 3. We should at no
time sacrifice our security in the name of getting it done on time
However I am starting to get steamed so I will let this go right here
besides which i have to blow away a completely usable install now. Boy,
am i glad i used the preupgrade tool. Someone please tell me its April 1
, tell me Bjorn is wrong or i am dyslexic....
--
On the eighth day he said "There shall be no rest for the weary."
On the ninth day he farted, and it smelled like sulphur.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
