On 12/20/2015 12:16 PM, John R Pierce wrote:> On 12/20/2015 4:26 AM, Ned Slider wrote: >> Unless I'm mistaken RPM in el5 does not support the https protocol. > > did you mean Yum ? rpm is just a file format for packages, and a > package installer program, its yum that does the network operations to > fetch the packages, and as far as I understand it uses libcurl, so it > should be able to support https > >RPM has ability to install a package over the network. rpm -i ftp://example.org/foo-2.2.noarch.rpm could be used to install that package, which may contain the key and yum configuration for a third party package. The point I'm trying to make though is that yum could benefit from the ability to verify the fingerprint in a key it is importing matches a DNS query for the user and domain the key claims to be for. Regardless of how the package was retrieved, this could prevent dishonest trojan keys from being imported, especially if DNSSEC validated the DNS query. -- -=- Sent my from my laptop, may not be able to respond timely
On Sun, 2015-12-20 at 12:44 -0800, Alice Wonder wrote:> RPM has ability to install a package over the network. > > rpm -i ftp://example.org/foo-2.2.noarch.rpmThanks for the new knowledge.> The point I'm trying to make though is that yum could benefit from > the ability to verify the fingerprint in a key it is importing > matches a DNS query for the user and domain the key claims to be for. > > Regardless of how the package was retrieved, this could prevent > dishonest trojan keys from being imported, especially if DNSSEC > validated the DNS query.How widespread is the problem of unknowingly importing compromised software ? -- Regards, Paul. England, EU. England's place is in the European Union.
On 12/20/2015 12:44 PM, Alice Wonder wrote:> The point I'm trying to make though is that yum could benefit from the > ability to verify the fingerprint in a key it is importing matches a > DNS query for the user and domain the key claims to be for.I think we understand your point. The solution that you're proposing guards the system against compromise from data that's already in /etc. In my mind, that's too late. An attacker that can put data in /etc can overcome any protections you put in place. I agree with you that packages should never be installed by rpm over http/ftp, because there's no signature verification in that case. But yum isn't involved in that, so I can't see a rational case for modifying yum to protect the system after you install an untrusted rpm. It sounds like you're trying to close the barn door after the horses have already left. In any case, development of yum has ended. It's been replaced by dnf. And this is the wrong place to discuss improvements to either. CentOS is a rebuild of Red Hat and nothing more. Improvements need to happen further upstream.
On 12/20/2015 01:28 PM, Always Learning wrote:> > On Sun, 2015-12-20 at 12:44 -0800, Alice Wonder wrote: > > >> RPM has ability to install a package over the network. >> >> rpm -i ftp://example.org/foo-2.2.noarch.rpm > > > Thanks for the new knowledge. > >> The point I'm trying to make though is that yum could benefit from >> the ability to verify the fingerprint in a key it is importing >> matches a DNS query for the user and domain the key claims to be for. >> >> Regardless of how the package was retrieved, this could prevent >> dishonest trojan keys from being imported, especially if DNSSEC >> validated the DNS query. > > How widespread is the problem of unknowingly importing compromised > software ? >-- For me, I prefer to be pro-active rather than reactive. DNSSEC gives us a some validation options we did not formerly have, I like to use it where it takes away potential vectors whether they currently are popular attack vectors or not.