Re: Secrecy and user trust

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ed Greshko wrote:


I think you have no concept of public/private encryption or signing.

My concept is that if I can fool you into accepting a false public
key, I can sign packages with the matching false private key, and when
you install the first such package it may (probably will) include evil
things of some nature.

Do you disagree? Or feel that if I can get you to run one evil package
I can't put in a root kit, or rend personal information from your
systems, or otherwise attack your system?

If you feel that line of attack is not possible do tell me how your
concept of encryption and signing prevents it.

I thought you were talking "real world" as opposed to purely hypothetical.

I think it is a reasonable real world assumption that some users could have their DNS compromised in a way that would make them pull packages from somewhere other than the official repositories. Can any key trust scenario where they have to obtain a new key protect against installing modified packages? (i.e. assume that the fake key and packages come from the same place(s) pretending to be the official repositories and mirrors).

--
  Les Mikesell
   lesmikesell@xxxxxxxxx




--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux