PackageKit Misconceptions

[Alexander Boström]

On Wed, 2007-08-22 at 13:13 -0800, Jeff Spaleta wrote:
> On 8/22/07, David Zeuthen <davidz at redhat.com> wrote:
> > Assume that Alice gets Fedora from Mallory's mirror. What prevents
> > Mallory from patching the rpm and yum programs that end up on Alice's
> > system to avoid honoring the keys that we, painfully, make her import?
> 
> would signing our mirror metadata help?

Hmm... Lets say someone is doing a MITM attack on your yum mirrors
(probably by replacing the mirrorlist with a list of their servers, or
using DNS tricks to point everything to them). What can they do? They
can certainly hide updates, giving you an outdated view of the repo so
you don't get any security updates. Anything else?

Anyway, I think every file on the mirrors should be signed somehow, and
everything downloaded by yum, Anaconda or the bootstrap code on boot.iso
and all the other ISOs should be checked against against a public key
included on the boot media. So basically, if you have a trusted CD
containing boot.iso, your install would potentially be totally secure.

Btw, RHEL should do this too, because both with RHEL and Fedora, if you
do an FTP install, there's no verification of the packages, AFAICT. With
RHEL, you might have an internal FTP server with the extracted OS
distribution, but you're still assuming that your network is secure,
which is something you should always avoid doing.

> would importing the provided keys at install time help?
> (We have to assume the install media is trusted)

I think the installer should be free to rpm --import anything it puts
in /etc/pki, but it probably does not make sense to import rawhide keys
etc.

/abo