[CentOS-devel] False statement about insecurity made on Wiki

Wed Feb 10 02:58:32 UTC 2021
John R. Dennison <jrd at gerdesas.com>

On Wed, Feb 10, 2021 at 02:42:35AM +0000, redbaronbrowser via CentOS-devel wrote:
> On Tuesday, February 9, 2021 7:41 PM, Jake Shipton <listmail at crazylinuxnerd.net> wrote:
> 
> As long as we are being pedantic about repository security, my person
> observation is the best point of attack is the repo XML files.  These
> are not signed.  If a rogue mirror or a man in the middle attack did
> take place, this seems like the best target.  From  what I can tell,
> DNF (and libxml2) typically are parsing these files while running as
> root.  A zero-day against libxml2 would be gold.

Repo metadata is signed.





							John
-- 
Teachers open the door.  You enter by yourself.

-- Chinese Proverb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210209/c68dfc18/attachment-0005.sig>