-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-ID:
Several news sites recently published articles citing a report about attacks on package managers [1]. Some unfortunately chose a wording that could be misunderstood as if a rogue mirror server could trick YaST into installing malicious software when applying regular (security-)updates.
This is not the case. All official update repositories for SUSE Linux based products use cryptographically signed packages and meta data. YaST verifies the cryptographic signatures and rejects any file whose signature doesn't match. Therefore it's not possible for a rogue mirror to introduce malicious software.
Question, please: when a user adds a repository, he is asked to add its key first. Where from is this key imported, from the repository itself, from a central repo, or from the chain of HKP keyservers? Usually we simply click "accept", as there is no clear method of checking, trusting, and importing the key except by clicking "accept" when the repo is added. Perhaps Yast, or zypper, should include a key management module. Once the correct key is imported, it is obvious that a rogue repo would be detected. The problem IMO (I haven't read the report) is the key import phase. I understand you have a person studying this precise problem, so it will be nice to learn the conclusions :-) - -- Saludos Carlos E.R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIf+TZtTMYHG2NR9URAt2OAJ96iwAYGwDmhw94FuD3qtCcq2WDWwCgmVUl KfKLJrYfJmeMm8Do12KZ0QA= =vDm5 -----END PGP SIGNATURE-----