On Sa April 18 2009, Axel Thimm wrote: > On Tue, Mar 10, 2009 at 07:52:32PM +0200, Jonathan Dieter wrote: > > On Tue, 2009-03-10 at 19:41 +0200, Jonathan Dieter wrote: > > > Ok, I've been trying this, but how can we tell if the sequence is > > > sha256 or md5 if we're *just* given the sequence (i.e. applydeltarpm -c > > > -s audit-libs-1.7.12-1.fc11-04548395de7d18795d88b32ea98897e90140 where > > > it's a sha256 sequence)? > > > > Ok, I've got it. We just check against md5 first, then sha256 if md5 > > doesn't match. It's not elegant, but it should work fine, especially > > since we're only checking for verification, *not* security. > > > > Jonathan > > Sorry for jumping in that late, but assuming a malicious deltarpm that > could fake a matching md5 sum to pass validation, wouldn't it get > applied and make that a security issue? This is what I know and hope is true: The deltarpm tools are only used to regenerate the original rpms instead of downloading then. Therefore they still need to pass all verification that yum or rpm do, e.g. checking the gpg signature. Therefore an attacker needs access to the signing keys to create a malicous deltarpm that has a real security impact. Regards Till
Description: This is a digitally signed message part.