New Key Repo Locations

Axel Thimm Axel.Thimm at ATrpms.net
Sun Aug 31 08:37:06 UTC 2008 

On Sun, Aug 31, 2008 at 01:18:25AM -0700, Toshio Kuratomi wrote:
> Warren Togami wrote:
> > Matt Domsch wrote:
> >> On Sat, Aug 30, 2008 at 07:46:31PM +0300, Axel Thimm wrote:
> >>> On Fri, Aug 29, 2008 at 02:56:38PM -0400, Jon Stanley wrote:
> >>>> We're using MM to redirect ALL requests for the old repo location to
> >>>> mirrors that we have ultimate control over.
> >>> I don't think that's true, see [1] for 64 mirrors that are suggested
> >>> for my location that are certainly not under Red Hat/Fedora control,
> >>> actually it looks like none is.
> >>
> >> that's the plan, it's not implemented yet.  In fact, I'll probably
> >> just do it with plain HTTP redirects in an httpd.conf file rather than
> >> special-case it in MM.
> >>
> > 
> > http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001627.html
> > Matt, you are misunderstanding the plan.  No redirections are necessary
> > at any level of this plan.
> > 
> Warren, I think we need to add redirection as step 6.1.
> 
> If we don't lock out mirrors that we don't control at that stage,
> there's nothing to prevent the following scenario::
> 
> Person with the key has brute forced passphrase and compromises mirror.
>  uploads packages signed with old key to the F-9 repo on the old mirror.
>  Among other things these packages subvert yum so that it will only
> update from compromised mirrors and removes the new key from the
> NEWREPO.  User downloads F-9 ISO.  Installs F-9 with old key as valid.
> User hits the compromised mirror on first yum update and installs
> compromised packages.

I more and more like the idea of killing F8 and F9 and going F8.1 and
F9.1. The person with the F9 DVD might even manually download a bad
signed package and think it is Fedora signed. He might even turn on
malicious or compromized 3rd party repos that carry malicious packages
signed with the old key and not notice how willing his DVD install
will swallow these packages in.

Once again, either the intruder is considered unable to sign packages
due to a very good passphrase (and then we don't even need to start
this stepdance), or if signed malware is realistic then the old key
and all assorted bits need to be considered dead including old F9
DVDs. Much more than RHEL Fedora is an open system with many software
flow channels from volunteer mirrors to 3rd party repos, driver ISVs,
sf.net rpms, etc. as well as manual installs. So even if the Fedora
mirrors issue is dealt with there are still lots of open spots.

I propose to

a) resping F8/F9 with updates (all signed with the new key) to create
   8.1, 9.1. Fedora unity recenty did some respins, so maybe it is
   just cut and paste.
b) empty F8/F9 updates and just place a package in there that will
   automatically upgrade any F8/F9 system to F8.1/F9.1. Redirect all
   mirrormanager controlled URLs to a controlled entity that only
   serves this package for F8/F9. Being a single package this will be
   a much lighter load than turning off all mirrors. The mirrors will
   still be used for 8.1/9.1.
c) make sure users get alerted about this, maybe by some applet.
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080831/307ac26d/attachment.sig>

More information about the Fedora-infrastructure-list mailing list