Re: How secure is Preupgrade? Answer: Not.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Beartooth Sciurivore wrote:
> 	Dumb question, probably : if you install and run preupgrade
> according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop
> after downloading boot images, is there some user-friendly thing you can
> do then to make it secure? Something on the order of getting into a
> directory and commanding, in effect, "check all signatures"?

No. You can check the RPM packages in /var/cache/yum/anaconda-upgrade/packages 
with rpm --checksig (assuming you have known good public keys in the RPM 
database, but that's required for Yum too). The big problem is that you can't 
check the boot images in /boot/upgrade, because nobody has made signatures 
for them. Making signatures is easy, but only the owners of the Fedora 
project's private key can do it.

> 	Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?

Don't hold your breath. Checking the packages is scheduled for 1.1:

https://fedorahosted.org/preupgrade/ticket/7

Checking the boot images is scheduled for 1.2, but that ticket talks about 
checksums, not signatures, so I think it's only intended to protect against 
accidental corruption, not malicious tampering:

https://fedorahosted.org/preupgrade/ticket/8

> 	If the latter, do we need to get rid of whatever-all 0.9.3-3
> downloaded? Or will we be able to just "yum update PreUpgrade" in F8 and
> then run it again?

I get the impression that Preupgrade is intended to keep previously downloaded 
files if you run it again, and only download missing files and new 
dependencies, if any.

If you choose to upgrade with Yum it should be possible to tell Yum to use the 
packages that Preupgrade downloaded. The security will then be the same as in 
any yum update command. Just be sure to delete the unchecked boot images so 
you don't accidentally boot them.

Björn Persson

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux