[CentOS-devel] progress?

Jeff Johnson n3npq at mac.com
Sun Feb 20 21:21:47 UTC 2011


On Feb 20, 2011, at 4:12 PM, Stephen John Smoogen wrote:

> On Sun, Feb 20, 2011 at 13:11, Jeff Johnson <n3npq at mac.com> wrote:
>> 
> 
>>> 3) experienced sysadmin diagnoses issue to the rpm level
>> 
>> Whoa: leave rpm out of this risk analysis please. Its not
>> rpm, but rather yum, that routinely disables signature checking.
>> 
> 
> s/yum/people using yum/
> 
> if you don't mind :).
> 

I don't mind at all because I'm not tied to an EKG in an ICU using RHEL with yum.

But I can show you the line of code -- that can only be changed by developers,
not "people" in the usual sense of the word -- hardwired in yum code.

OTOH, there's many threat/security models, and noone really knows
which model SHOULD apply to *.rpm. Lord knows that RPM is the only major
software installer in the world where applications like yum routinely
choose to disable signature/digest checking for performance and the
rather useless
	Do you "trust" this pubkey(yN)?
EULA-like dialog that reassures users but is only as secure as well as "trust"
is defined. Smells like a BackOrifice to me and heck its spelled
	P-U-B-L-I-C K-E-Y

(We now return you to the previous thread of CentOS bashing, sorry for the interruption).

73 de jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4645 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20110220/f2648c90/attachment.p7s>


More information about the CentOS-devel mailing list