Re: RPM security (a newbie question)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"Stanisław T. Findeisen" wrote:
> What does the process of installing new RPM package look like? There
> are some commands that such package is allowed to execute, right?

By policy, there are things that rpm scriptlets should not do.  But if
you created an rpm which had a %post section containing rm -rf /, rpm
would run it AFAIK.

> Also what's the difference between "Everything" and "Fedora" dirs in
> Fedora package tree?

The Fedora dir contains just what is included on the DVD media.  The
Everything dir contains all of the packages available.  Everything is
a superset of Fedora.

> I wonder how easy it is to create a rootkit/trojan horse/whatever
> and get it loaded on Fedora users' computers.

You would need to create a trojan package and get it onto the mirrors,
signed by the Fedora package signing key for a particular release.
This is not an easy task, as the keys are held pretty tightly, with
very limited access (if a handful of people can sign packages, I'd be
surprised).

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An election is coming. Universal peace is declared and the foxes have
a sincere interest in prolonging the lives of the poultry.
    -- T.S. Eliot

Attachment: pgprYwl88Mcaz.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux