[CentOS] yum/RPM and Trust on First Use

Alice Wonder alice at domblogger.net
Mon Dec 21 01:06:46 UTC 2015



On 12/20/2015 01:28 PM, Always Learning wrote:
>
> On Sun, 2015-12-20 at 12:44 -0800, Alice Wonder wrote:
>
>
>> RPM has ability to install a package over the network.
>>
>> rpm -i ftp://example.org/foo-2.2.noarch.rpm
>
>
> Thanks for the new knowledge.
>
>> The point I'm trying to make though is that yum could benefit from
>> the ability to verify the fingerprint in a key it is importing
>> matches a DNS query for the user and domain the key claims to be for.
>>
>> Regardless of how the package was retrieved, this could prevent
>> dishonest trojan keys from being imported, especially if DNSSEC
>> validated the DNS query.
>
> How widespread is the problem of unknowingly importing compromised
> software ?
>

-- 

For me, I prefer to be pro-active rather than reactive.

DNSSEC gives us a some validation options we did not formerly have, I 
like to use it where it takes away potential vectors whether they 
currently are popular attack vectors or not.



More information about the CentOS mailing list