Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
[opensuse-security] Re: [security-announce] Package management security on SUSE Linux
  • From: "Carlos E. R." <carlos.e.r@xxxxxxxxxxxx>
  • Date: Fri, 18 Jul 2008 02:33:24 +0200 (CEST)
  • Message-id: <alpine.LSU.1.00.0807180224080.7677@xxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-ID: <alpine.LSU.1.00.0807180231020.7677@xxxxxxxxxxxxxxxx>


El 2008-07-15 a las 17:10 +0200, Ludwig Nussel escribió:

Several news sites recently published articles citing a report about
attacks on package managers [1]. Some unfortunately chose a wording
that could be misunderstood as if a rogue mirror server could trick
YaST into installing malicious software when applying regular
(security-)updates.

This is not the case. All official update repositories for SUSE
Linux based products use cryptographically signed packages and meta
data. YaST verifies the cryptographic signatures and rejects any
file whose signature doesn't match. Therefore it's not possible for
a rogue mirror to introduce malicious software.

Question, please:

when a user adds a repository, he is asked to add its key first. Where from is this key imported, from the repository itself, from a central repo, or from the chain of HKP keyservers? Usually we simply click "accept", as there is no clear method of checking, trusting, and importing the key except by clicking "accept" when the repo is added. Perhaps Yast, or zypper, should include a key management module.

Once the correct key is imported, it is obvious that a rogue repo would be detected. The problem IMO (I haven't read the report) is the key import phase. I understand you have a person studying this precise problem, so it will be nice to learn the conclusions :-)

- -- Saludos
Carlos E.R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFIf+TZtTMYHG2NR9URAt2OAJ96iwAYGwDmhw94FuD3qtCcq2WDWwCgmVUl
KfKLJrYfJmeMm8Do12KZ0QA=
=vDm5
-----END PGP SIGNATURE-----
< Previous Next >
Follow Ups