[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Deltarpm *not* ready for new RPM checksums (was Re: Ready for new RPM version?)



On Sat, 2009-04-18 at 16:56 +0200, Till Maas wrote:
> This is what I know and hope is true: The deltarpm tools are only used to 
> regenerate the original rpms instead of downloading then. Therefore they still 
> need to pass all verification that yum or rpm do, e.g. checking the gpg 
> signature. Therefore an attacker needs access to the signing keys to create a 
> malicous deltarpm that has a real security impact.

Exactly.  The md5 checksum in the deltarpm functions as just that, a
checksum against accidental corruption.  The security check comes from
the gpg signature after the rpm has been regenerated.

Jonathan

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]