Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Online Update
  • From: Volker Kuhlmann <kuhlmav@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 30 Jan 2002 08:19:01 +1300
  • Message-id: <20020130081901.D2489@xxxxxxxxxxxxxxxxxxxxx>
> >As ftp is a weird protocol anyway, I don't think it should be used so
> >much, especially for important things like updates.
>
> They should use scp :-)

Oh please. rpm's package signing is there to check the integrity of packages
which have come from unknown sources (read ftp servers) and to protect
against intentional corruption. Using scp would be an other waste of time,
as yast should pop up a big box in bright red reading "integrity of this
package can't be checked / fails to verify and it may be corrupted and
contain a trojan/virus/othernasty - would you like me to permanently remove
this package - default answer yes" if necessary. Note I'm talking about rpm
signatures, not its md5 sum, which ony protects against accidental
corruption on download.

apt-get AFAIU does not check package signatures, nor are most debian
packages signed anyway. Considering the ten zillion packagers sining in a
way which makes somes sense is somewhat difficult, and may not yet be
operational. I agree with Roman - use apt-get if you feel so inclined, I
won't. Why not use microdaft straight away - it's all very easy too, and
security is an afterthought at best.

I find downloading a recursive ftp server dir listing tells me what's new
(there are time stamps on files). wget and rpm -Kv immediately after
download work well, so does rpm -UvhF on all machines I have. If it's urgent
copy/paste from the advisory into wget does work too. I don't see a big
problem, although yes it could be automated more to make it an absolut
no-brainer. No doubt YOU will get there.

> I have submitted several bug reports to feedback@xxxxxxxx and bugs@xxxxxxx

It's feedback@xxxxxxx as listed in every rpm info and stated on mailing
lists many times. These reports are acted on, SuSE did say that many times
too, and I know from experience that that is correct.

Also, as it's security-relevant you ought to be using security@xxxxxxx at
least some days before contacting bugtraq.

> and not heard back from them. I have a serious mind to submit this to
> BugTraq in the hope of forcing SuSE to do something about it.
> I've never done anything like that before - do you think I should?

I consider it to be a serious issue if true, but unless you correctly notify
SuSE you can't claim "vendor notified" status on bugtraq, which does not
look good on you.

Volker

--
Volker Kuhlmann
Please do not CC list postings to me.

< Previous Next >
Follow Ups
References