[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: PackageKit Misconceptions

From: "Richard Hughes" <hughsient gmail com>
To: "Discussions about development for the Fedora desktop" <fedora-desktop-list redhat com>
Subject: Re: PackageKit Misconceptions
Date: Wed, 22 Aug 2007 18:40:39 +0100

On 22/08/07, Jesse Keating <jkeating redhat com> wrote:
> Also it's easy enough to install some piece of software off the net
> that drops a yum repo file in place and starts handing you packages
> from another repo.  You should get the opportunity to confirm your
> trust in this repo before it starts replacing all kinds of packages in
> your system..
> (now said packages that drop a repo file could just easily set
> gpgcheck=no and bypass all the trust issues, but that's neither here
> nor there)

I think it is very important actually. If a malicious package is
putting files in random places as the root user (installing a package
manually using rpm) then we've essentially lost security on the system
as far as I'm concerned.

You could take this argument one step further and a malicious package
could be designed to patch yum/rpm to not do the gpg checks.

Richard.

References:
- PackageKit Misconceptions
  - From: Richard Hughes
- Re: PackageKit Misconceptions
  - From: Jesse Keating

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]