21 Dec
2015
21 Dec
'15
1:06 a.m.
On 12/20/2015 01:28 PM, Always Learning wrote:
On Sun, 2015-12-20 at 12:44 -0800, Alice Wonder wrote:
RPM has ability to install a package over the network.
rpm -i ftp://example.org/foo-2.2.noarch.rpm
Thanks for the new knowledge.
The point I'm trying to make though is that yum could benefit from the ability to verify the fingerprint in a key it is importing matches a DNS query for the user and domain the key claims to be for.
Regardless of how the package was retrieved, this could prevent dishonest trojan keys from being imported, especially if DNSSEC validated the DNS query.
How widespread is the problem of unknowingly importing compromised software ?
--
For me, I prefer to be pro-active rather than reactive.
DNSSEC gives us a some validation options we did not formerly have, I
like to use it where it takes away potential vectors whether they
currently are popular attack vectors or not.