Re: How secure is Preupgrade? Answer: Not.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



stan wrote:
> If anaconda uses rpm to do the upgrade, there is a blurb in the man file
> stating that rpm automatically does the md5 check on install.  I think
> these are signed with a Fedora specific key, so they would fail if they
> weren't official or were tampered with.

Checking the MD5 sum detects accidentally corrupted packages. To detect that a 
package has been tampered with you have to check the PGP signature. A bad guy 
can easily generate a new MD5 sum for his modified package. He can't generate 
a new PGP signature unless he has a private key that corresponds to one of 
the public keys that are loaded in your local RPM database.

But as the installer may have been tampered with, it may have inserted the bad 
guy's own key in your RPM database, or it may have installed a modified RPM 
that says everything is OK, or any other nasty stuff. I don't think the 
probability is all that high, but the possibility is there.

Björn Persson

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux