Carlos: Glad to hear that based on your study, YOU runs a "--checksig" before installing any new package. I know "fou4s" does (unless you turn that feature off). On {SuSE-Security} list, I asked the question if "kpackage" runs a "checksig". No one replied back that it did, and I don't have the skills yet to determine on my own if it does. (Maybe next year...) However, I for one do run rpm -v --checksig on all my downloaded packages, before using "kpackage" to install them. --- doesn't mean I couldn't be fooled. For example, someone could come in my house while I was sleeping and change my key ring, but frankly I have other things to worry about... like how to get the new Gome2 packages installed. ************ "Carlos E. R." wrote:

The 03.02.25 at 14:50, zentara wrote:

...

Another worry which is gaining attention is switching DNS servers to feed you bad code. Say for instance, some evil person on the network, knows you go to "such and such mirror" to get your binary rpms. When you login they could redirect to a bogus nameserver, which will send you to a "bogus mirror" of the real site, filled with tampered rpms. Then once they know you've downloaded their worm, they let you connect again to the real site. The original site is totally innocent. How often do you check the md5sums of the files you download from a mirror, against the md5sums listed on the original server?

I (Carlos E.R.) have been analysing how YOU works, and I know it runs this test after it downloads a patch (on all of them), and before trying to install any of them:

rpm --checksig /usr/local/update/i386/update/8.1/rpm/i586/arts-1.0.4-4.i586.patch.rpm

According to the rpm man page:

SIGNATURE CHECKING The general form of an rpm signature check command is

rpm --checksig +

This checks the PGP signature of package to ensure its integrity and origin. PGP configuration infor­ mation is read from configuration files. See the section on PGP SIGNATURES for details.

Thus, that man in the middle attack has been thought off :-)

*****snip****

-- Cheers, Carlos Robinson

When I run "rpm --checksig" I add a -v to it so I know who signed the package. I did check my SuSE keyring against their website, and against several public key mirrors using "gpg" What I didn't do is call up, for example, Roman Drahmueller up and ask him to verify over the phone his key, but I do have a list of who normally signs each package. Hopefully, this reduces the paranoia. The other keys is have backups -- and assume that big brother knows everything, anyways, so what. HTH Gar __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/