[CentOS] yum/RPM and Trust on First Use
Alice Wonder
alice at domblogger.netMon Dec 21 01:09:18 UTC 2015
- Previous message: [CentOS] yum/RPM and Trust on First Use
- Next message: [CentOS] yum/RPM and Trust on First Use
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 12/20/2015 02:28 PM, Gordon Messmer wrote: > On 12/20/2015 10:10 AM, Alice Wonder wrote: >> Yes, but I've run into instance where curl does not work for https - >> for example I believe if ECDSA TLS certificate is being used on the >> server, curl doesn't work. Not sure about wget. > > Why do you think the solution is to make yum behave well when there's > malicious data in /etc, rather than updating rpm/curl to properly > support https so that it doesn't get there? > _______________________________________________ It's a validation step. Even with https - fraudulently signed certificates are still a problem, as well as the issue of there not being any RFC stating what certificate authorities must be trusted. So if a server serves an RPM over https - it has to be with a certificate signed by an authority trusted by client. There's no way to guarantee that. DNSSEC validation doesn't have that issue.
- Previous message: [CentOS] yum/RPM and Trust on First Use
- Next message: [CentOS] yum/RPM and Trust on First Use
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list