[CentOS] yum/RPM and Trust on First Use
Alice Wonder
alice at domblogger.net
Sun Dec 20 20:44:28 UTC 2015
On 12/20/2015 12:16 PM, John R Pierce wrote:
> On 12/20/2015 4:26 AM, Ned Slider wrote:
>> Unless I'm mistaken RPM in el5 does not support the https protocol.
>
> did you mean Yum ? rpm is just a file format for packages, and a
> package installer program, its yum that does the network operations to
> fetch the packages, and as far as I understand it uses libcurl, so it
> should be able to support https
>
>
RPM has ability to install a package over the network.
rpm -i ftp://example.org/foo-2.2.noarch.rpm
could be used to install that package, which may contain the key and yum
configuration for a third party package.
The point I'm trying to make though is that yum could benefit from the
ability to verify the fingerprint in a key it is importing matches a DNS
query for the user and domain the key claims to be for.
Regardless of how the package was retrieved, this could prevent
dishonest trojan keys from being imported, especially if DNSSEC
validated the DNS query.
--
-=-
Sent my from my laptop, may not be able to respond timely
More information about the CentOS
mailing list