[CentOS-devel] why provide debuginfo
paran at nsc.liu.se
Fri Apr 10 19:29:01 UTC 2009
Charlie Brady wrote:
> It's not obvious to me what the attack vector would be with unsigned
> debuginfo packages...
1. Get people to download packages from you instead of the real
debuginfo.centos.org by a MITM attack, DNS poisoning or whatever.
2. Send modified malicious packages instead of the real ones. Debuginfo
packages are (AFAIK) ordinary RPM packages so they can contain evil
binaries, install a rootkit in their post-install script or something
More information about the CentOS-devel