How secure is Preupgrade? Answer: Not.
max
maximilianbianco at gmail.com
Wed May 21 22:01:04 UTC 2008
Beartooth Sciurivore wrote:
> On Wed, 21 May 2008 00:27:17 +0200, Björn Persson wrote:
>
>> I went ahead and read the code. [....]
>>
>> I've got my answer: Preupgrade is not secure. I'll continue upgrading
>> the way I've done it before – either with Yum or from a DVD image on a
>> USB stick.
>
> Dumb question, probably : if you install and run preupgrade
> according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop
> after downloading boot images, is there some user-friendly thing you can
> do then to make it secure? Something on the order of getting into a
> directory and commanding, in effect, "check all signatures"?
>
> Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?
>
> If the latter, do we need to get rid of whatever-all 0.9.3-3
> downloaded? Or will we be able to just "yum update PreUpgrade" in F8 and
> then run it again?
>
I don't think you can do anything unless you can verify the images on
your own after the download. You'll have to track down where everything
is stored, I know some of it is in /boot/upgrade but I am not sure if
verifying the images there is all that is needed. I am going to scan the
code myself, I am limited in skill when it comes to coding but I've
taken programming classes in the past and of course I am self teaching
the C so maybe it won't be hard to add the proper checks. In any case I
am short on time, so if you haven't used preupgrade i would avoid it for
now and go with a more traditional method for the moment. It really
sucks that the proper verification isn't done but until I look into it
myself I won't know anything for sure, not that I don't trust Bjorn's
assessment but everyone makes mistakes, though I think it likely he is
on the money. Disappointing that anyone could be so flip about the
proper security checks but we are all only human I guess. Anyway someone
else may have a good way to go about it, I'd like to find one, this
install is perfectly usable with only a small glitch or two. I am
rocking to Alice in Chains right now!!
--
On the eighth day he said "There shall be no rest for the weary."
On the ninth day he farted, and it smelled like sulphur.
More information about the fedora-list
mailing list