CentOS - Dec 2015 - yum/RPM and Trust on First Use

On 12/20/2015 10:05 AM, Gordon Messmer wrote:
> On 12/20/2015 04:26 AM, Ned Slider wrote:
>> Unless I'm mistaken RPM in el5 does not support the https protocol.
>
> In that case, users should use curl or wget to retrieve the rpm over
> https before installing it.
Yes, but I've run into instance where curl does not work for https - for 
example I believe if ECDSA TLS certificate is being used on the server, 
curl doesn't work. Not sure about wget.

On 12/20/2015 10:10 AM, Alice Wonder wrote:
> Yes, but I've run into instance where curl does not work for https -
> for example I believe if ECDSA TLS certificate is being used on the
> server, curl doesn't work. Not sure about wget.
Why do you think the solution is to make yum behave well when there's 
malicious data in /etc, rather than updating rpm/curl to properly 
support https so that it doesn't get there?

On 12/20/2015 02:28 PM, Gordon Messmer wrote:
> On 12/20/2015 10:10 AM, Alice Wonder wrote:
>> Yes, but I've run into instance where curl does not work for https
-
>> for example I believe if ECDSA TLS certificate is being used on the
>> server, curl doesn't work. Not sure about wget.
>
> Why do you think the solution is to make yum behave well when there's
> malicious data in /etc, rather than updating rpm/curl to properly
> support https so that it doesn't get there?
> _______________________________________________
It's a validation step.

Even with https - fraudulently signed certificates are still a problem, 
as well as the issue of there not being any RFC stating what certificate 
authorities must be trusted.

So if a server serves an RPM over https - it has to be with a 
certificate signed by an authority trusted by client. There's no way to 
guarantee that.

DNSSEC validation doesn't have that issue.