10 Apr
2009
10 Apr
'09
6:29 p.m.
Charlie Brady wrote:
It's not obvious to me what the attack vector would be with unsigned debuginfo packages...
1. Get people to download packages from you instead of the real debuginfo.centos.org by a MITM attack, DNS poisoning or whatever.
2. Send modified malicious packages instead of the real ones. Debuginfo packages are (AFAIK) ordinary RPM packages so they can contain evil binaries, install a rootkit in their post-install script or something like that.
/Pär