[CentOS] yum/RPM and Trust on First Use
Alice Wonder
alice at domblogger.net
Mon Dec 21 01:06:46 UTC 2015
On 12/20/2015 01:28 PM, Always Learning wrote:
>
> On Sun, 2015-12-20 at 12:44 -0800, Alice Wonder wrote:
>
>
>> RPM has ability to install a package over the network.
>>
>> rpm -i ftp://example.org/foo-2.2.noarch.rpm
>
>
> Thanks for the new knowledge.
>
>> The point I'm trying to make though is that yum could benefit from
>> the ability to verify the fingerprint in a key it is importing
>> matches a DNS query for the user and domain the key claims to be for.
>>
>> Regardless of how the package was retrieved, this could prevent
>> dishonest trojan keys from being imported, especially if DNSSEC
>> validated the DNS query.
>
> How widespread is the problem of unknowingly importing compromised
> software ?
>
--
For me, I prefer to be pro-active rather than reactive.
DNSSEC gives us a some validation options we did not formerly have, I
like to use it where it takes away potential vectors whether they
currently are popular attack vectors or not.
More information about the CentOS
mailing list