[CentOS-devel] progress?
Jeff Johnson
n3npq at mac.com
Sun Feb 20 21:21:47 UTC 2011
On Feb 20, 2011, at 4:12 PM, Stephen John Smoogen wrote:
> On Sun, Feb 20, 2011 at 13:11, Jeff Johnson <n3npq at mac.com> wrote:
>>
>
>>> 3) experienced sysadmin diagnoses issue to the rpm level
>>
>> Whoa: leave rpm out of this risk analysis please. Its not
>> rpm, but rather yum, that routinely disables signature checking.
>>
>
> s/yum/people using yum/
>
> if you don't mind :).
>
I don't mind at all because I'm not tied to an EKG in an ICU using RHEL with yum.
But I can show you the line of code -- that can only be changed by developers,
not "people" in the usual sense of the word -- hardwired in yum code.
OTOH, there's many threat/security models, and noone really knows
which model SHOULD apply to *.rpm. Lord knows that RPM is the only major
software installer in the world where applications like yum routinely
choose to disable signature/digest checking for performance and the
rather useless
Do you "trust" this pubkey(yN)?
EULA-like dialog that reassures users but is only as secure as well as "trust"
is defined. Smells like a BackOrifice to me and heck its spelled
P-U-B-L-I-C K-E-Y
(We now return you to the previous thread of CentOS bashing, sorry for the interruption).
73 de jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4645 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20110220/f2648c90/attachment.p7s>
More information about the CentOS-devel
mailing list