[CentOS] yum/RPM and Trust on First Use

Mon Dec 21 01:09:18 UTC 2015
Alice Wonder <alice at domblogger.net>

On 12/20/2015 02:28 PM, Gordon Messmer wrote:
> On 12/20/2015 10:10 AM, Alice Wonder wrote:
>> Yes, but I've run into instance where curl does not work for https -
>> for example I believe if ECDSA TLS certificate is being used on the
>> server, curl doesn't work. Not sure about wget.
> Why do you think the solution is to make yum behave well when there's
> malicious data in /etc, rather than updating rpm/curl to properly
> support https so that it doesn't get there?
> _______________________________________________

It's a validation step.

Even with https - fraudulently signed certificates are still a problem, 
as well as the issue of there not being any RFC stating what certificate 
authorities must be trusted.

So if a server serves an RPM over https - it has to be with a 
certificate signed by an authority trusted by client. There's no way to 
guarantee that.

DNSSEC validation doesn't have that issue.