On Tue, Nov 3, 2015 at 8:54 AM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
> Nico Kadel-Garcia wrote on Tue, Nov 03, 2015 at 06:06:18 -0500:
>> On Mon, Nov 2, 2015 at 8:59 AM, Junek Leoš <junek_at_oksystem.cz> wrote:
>> > I would like to install Subversion 1.8 from native distribution repository
>> > and wonder why it is not available…
>>
>> My RPM building tools are published. I don't personally have a web
>> service I can rely on sufficiently well to publish reliable, GPG
>> signed RPM's and have high confidence that someone can't maliciously
>> replace the repository, including a fake GPG key. Who checks the
>> signature chain on website published GPG keys?
>
> Even people who don't have a PGP trust path to your key will still be
> protected from this attack if they do "key pinning", i.e., if they check
> that "it's the same key as last time".
>
> (So long as people don't re-pin to a new key when the key on the website
> changes, of course.)
Yeah, that's the basic problem. RPM and its manager, yum, don't care
if something has "the same key as I used for the previous version".
It cares if a matching key is loaded that matches the signed RPM. If
not, then yum looks in a designated location for the key. That
location is typically either at a URL (typically at the same website
and thus as vulnerable as a poisoned RPM), or deposited in /etc/pki/
by something like a "redhat-release" or "epel-release" RPM.
So if I could maintain a secure "nkadel-release" package and encourage
people to use it, I'd be in good shape. But for now, I don't have the
secure releases to host *that* anymore than I have good, secure
resources and reliable support time to host Subversion RPM's and
ensure their provenance. Instead I've been trying to publish to
RPMforge (which used to work), and publish patches (which are
available to Fedora, RHEL, and even Wandisco).
Received on 2015-11-03 15:17:59 CET