Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Re: [opensuse] Re: warnings
- From: Pascal Bleser <pascal.bleser@xxxxxxxxx>
- Date: Mon, 07 Nov 2005 16:34:57 +0100
- Message-id: <436F7421.8020700@xxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
mop48836 wrote:
> Patrick Shanahan wrote:
>> * mop48836 <mop48836@xxxxxxxxxxxxxxx> [11-07-05 09:15]:
>>> So, suppose that someone builds rpms with those directives (%deffatr,
>>> ...) with "common" user names, like "mike", "dave", etc.
>>> (not like "kosta", rather unusual..) with the purpose to compromise,
>>> "statistically", those machines?
>>> Would that be possible?
>>> If yes, wouldn't it be a severe security flaw?? i can't believe that!!
>> Which is why the _most_ rpm's are signed and their keys provided.
>> Please trim your quotes and refrain from top-posting. tks
>> http://www.netmeister.org/news/learn2quote.html
...
> About the subject: so, when rpms are signed and key provided, we can
> assure they are OK, that's it?
No. But you know whom has built the package, for sure (unless the key is compromised, but that's
rather unlikely to happen).
- - don't install RPMs that are not signed
- - only use repositories you trust (packman, suser-guru, others...)
- - only import signature keys (rpm --import) of repositories you trust
- - if you want to be really sure, inspect every package before installation:
- rpm -qlp <package>.rpm ===========> will give you a list of the files (*)
- rpm -qp --scripts <package>.rpm ==> will show you the pre/post-installation scripts
that would be executed
- rpm --checksig <package>.rpm =====> verifies that the package is signed and whether
you have the signature(s) in your database; it also
verifies the signed checksum/hash
> Thus, a good user pratice would to never install rpms that do not
> fullfil those conditions; is this correct?
Definately never install packages that are not signed by someone you trust.
cheers
- --
-o) Pascal Bleser http://linux01.gwdg.de/~pbleser/
/\\ <pascal.bleser@xxxxxxxxx> <guru@xxxxxxxxxxx>
_\_v FOSDEM 2006 -- 25+26 February 2006 in Brussels
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDb3Qhr3NMWliFcXcRAmG0AKC+54fCBsK6gEF6WhWdN5l+O96y3ACgmI+A
ifXQg8CkWMTBHNFa7N9Y5x4=
=ZFeE
-----END PGP SIGNATURE-----
Hash: SHA1
mop48836 wrote:
> Patrick Shanahan wrote:
>> * mop48836 <mop48836@xxxxxxxxxxxxxxx> [11-07-05 09:15]:
>>> So, suppose that someone builds rpms with those directives (%deffatr,
>>> ...) with "common" user names, like "mike", "dave", etc.
>>> (not like "kosta", rather unusual..) with the purpose to compromise,
>>> "statistically", those machines?
>>> Would that be possible?
>>> If yes, wouldn't it be a severe security flaw?? i can't believe that!!
>> Which is why the _most_ rpm's are signed and their keys provided.
>> Please trim your quotes and refrain from top-posting. tks
>> http://www.netmeister.org/news/learn2quote.html
...
> About the subject: so, when rpms are signed and key provided, we can
> assure they are OK, that's it?
No. But you know whom has built the package, for sure (unless the key is compromised, but that's
rather unlikely to happen).
- - don't install RPMs that are not signed
- - only use repositories you trust (packman, suser-guru, others...)
- - only import signature keys (rpm --import) of repositories you trust
- - if you want to be really sure, inspect every package before installation:
- rpm -qlp <package>.rpm ===========> will give you a list of the files (*)
- rpm -qp --scripts <package>.rpm ==> will show you the pre/post-installation scripts
that would be executed
- rpm --checksig <package>.rpm =====> verifies that the package is signed and whether
you have the signature(s) in your database; it also
verifies the signed checksum/hash
> Thus, a good user pratice would to never install rpms that do not
> fullfil those conditions; is this correct?
Definately never install packages that are not signed by someone you trust.
cheers
- --
-o) Pascal Bleser http://linux01.gwdg.de/~pbleser/
/\\ <pascal.bleser@xxxxxxxxx> <guru@xxxxxxxxxxx>
_\_v FOSDEM 2006 -- 25+26 February 2006 in Brussels
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDb3Qhr3NMWliFcXcRAmG0AKC+54fCBsK6gEF6WhWdN5l+O96y3ACgmI+A
ifXQg8CkWMTBHNFa7N9Y5x4=
=ZFeE
-----END PGP SIGNATURE-----
| < Previous | Next > |