-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mop48836 wrote:
Patrick Shanahan wrote:
* mop48836
[11-07-05 09:15]: So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines? Would that be possible? If yes, wouldn't it be a severe security flaw?? i can't believe that!! Which is why the _most_ rpm's are signed and their keys provided. Please trim your quotes and refrain from top-posting. tks http://www.netmeister.org/news/learn2quote.html ... About the subject: so, when rpms are signed and key provided, we can assure they are OK, that's it?
No. But you know whom has built the package, for sure (unless the key is compromised, but that's rather unlikely to happen). - - don't install RPMs that are not signed - - only use repositories you trust (packman, suser-guru, others...) - - only import signature keys (rpm --import) of repositories you trust - - if you want to be really sure, inspect every package before installation: - rpm -qlp <package>.rpm ===========> will give you a list of the files (*) - rpm -qp --scripts <package>.rpm ==> will show you the pre/post-installation scripts that would be executed - rpm --checksig <package>.rpm =====> verifies that the package is signed and whether you have the signature(s) in your database; it also verifies the signed checksum/hash
Thus, a good user pratice would to never install rpms that do not fullfil those conditions; is this correct?
Definately never install packages that are not signed by someone you trust.
cheers
- --
-o) Pascal Bleser http://linux01.gwdg.de/~pbleser/
/\\