[CentOS-devel] False statement about insecurity made on Wiki
redbaronbrowser
redbaronbrowser at protonmail.comWed Feb 10 03:10:57 UTC 2021
- Previous message: [CentOS-devel] False statement about insecurity made on Wiki
- Next message: [CentOS-devel] False statement about insecurity made on Wiki
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tuesday, February 9, 2021 8:58 PM, John R. Dennison <jrd at gerdesas.com> wrote: > On Wed, Feb 10, 2021 at 02:42:35AM +0000, redbaronbrowser via CentOS-devel wrote: > > > As long as we are being pedantic about repository security, my person > > observation is the best point of attack is the repo XML files. These > > are not signed. If a rogue mirror or a man in the middle attack did > > take place, this seems like the best target. From what I can tell, > > DNF (and libxml2) typically are parsing these files while running as > > root. A zero-day against libxml2 would be gold. > > Repo metadata is signed. >From what I can tell, the repo metadata is hashed by sha256 but that is not the same a cryptographically signed. What are you finding is performing a verification of the repomd.xml against the CentOS public key before parsing it with libxml2?
- Previous message: [CentOS-devel] False statement about insecurity made on Wiki
- Next message: [CentOS-devel] False statement about insecurity made on Wiki
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS-devel mailing list