FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS Development

 
 
LinkBack Thread Tools
 
Old 05-10-2008, 01:34 AM
"Akemi Yagi"
 
Default Point yum repos to centos gpg key in /etc/pki/

2008/2/25 Peter Kjellstrom <cap@nsc.liu.se>:
> On Monday 25 February 2008, Johnny Hughes wrote:
>> Jeff Sheltren wrote:
> ...
>> > Johnny, could you let us know your reasons for wanting to point to the
>> > remote GPG key?
>>
>> We DON'T allow downloads of ISOs from centos.org servers due to
>> bandwidth considerations. It would be fairly easy to put out an ISO
>> that had different RPMS and a different key.
>>
>> Granted, people CAN check the md5 and sha1 sum of the ISOs if they choose.
>>
>> Since we do control the content of every mirror.centos.org server, we
>> know that the key file is correct. In order to make that key AND the
>> RPMS be bad, they need a doctored CD *AND* they need to hijack our
>> content by DNS poisoning or getting control of our servers.
>>
>> I just think if you are using the internet anyway, why not also get the
>> key from a known location.
>
> I agree that there's something intuitively right about that, but,
> unfortunately it's wrong :-)
>
> Here's why.
>
> We have to assume that the install the user has is intact and uncompromised.
> Why? Well, if it has been compromised in any way then not only could it
> contain a malicious /etc/pki, it could of course have different gpgkey= lines
> in the .repo files...
>
> It will have to be up to the user to make sure (with our help, signed .isos,
> installers that check rpm signatures and stage2 signature) that he/she has an
> ok system. If they fail then they don't really run centos, they run haxx0r os
> and any attempt to validate anything inside that will fail.
>
> /Peter

This discussion has been dormant for a while... With 5.2 just around
the corner, isn't it a good idea to wrap this up and reach some sort
of a conclusion?

Akemi
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 05-10-2008, 02:35 PM
"Daniel de Kok"
 
Default Point yum repos to centos gpg key in /etc/pki/

2008/2/25 Peter Kjellstrom <cap@nsc.liu.se>:
> We have to assume that the install the user has is intact and uncompromised.
> Why? Well, if it has been compromised in any way then not only could it
> contain a malicious /etc/pki, it could of course have different gpgkey= lines
> in the .repo files...

Or a modified yum or RPM that only appears to do verification. I agree
that we should at the very least suppose that the user verifies the
installation media.

As for DNS poisoning or hacking, that misery can potentially happen to
everyone, and a good manner to guard against this is relying on the
pre-installed key from media that was proven to be correct. So, I
think this should be the default behavior.

Take care,
Daniel
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 07-14-2008, 11:22 AM
Peter Kjellstrom
 
Default Point yum repos to centos gpg key in /etc/pki/

On Saturday 10 May 2008, Akemi Yagi wrote:
> 2008/2/25 Peter Kjellstrom <cap@nsc.liu.se>:
> > On Monday 25 February 2008, Johnny Hughes wrote:
> >> Jeff Sheltren wrote:
> >
> > ...
> >
> >> > Johnny, could you let us know your reasons for wanting to point to the
> >> > remote GPG key?
> >>
> >> We DON'T allow downloads of ISOs from centos.org servers due to
> >> bandwidth considerations. It would be fairly easy to put out an ISO
> >> that had different RPMS and a different key.
> >>
> >> Granted, people CAN check the md5 and sha1 sum of the ISOs if they
> >> choose.
> >>
> >> Since we do control the content of every mirror.centos.org server, we
> >> know that the key file is correct. In order to make that key AND the
> >> RPMS be bad, they need a doctored CD *AND* they need to hijack our
> >> content by DNS poisoning or getting control of our servers.
> >>
> >> I just think if you are using the internet anyway, why not also get the
> >> key from a known location.
> >
> > I agree that there's something intuitively right about that, but,
> > unfortunately it's wrong :-)
> >
> > Here's why.
> >
> > We have to assume that the install the user has is intact and
> > uncompromised. Why? Well, if it has been compromised in any way then not
> > only could it contain a malicious /etc/pki, it could of course have
> > different gpgkey= lines in the .repo files...
> >
> > It will have to be up to the user to make sure (with our help, signed
> > .isos, installers that check rpm signatures and stage2 signature) that
> > he/she has an ok system. If they fail then they don't really run centos,
> > they run haxx0r os and any attempt to validate anything inside that will
> > fail.
> >
> > /Peter
>
> This discussion has been dormant for a while... With 5.2 just around
> the corner, isn't it a good idea to wrap this up and reach some sort
> of a conclusion?
>
> Akemi

I would have liked to wake this thread in time for 5.2 but unfortunately I
havn't had any time for centos lately. :-(

It was my interpretation that the discussion ended somewhat in favour
of /etc/pki but either that was just my wishful thinking or it got
forgotten/delayed/droped because it didn't make it into centos-release for
5.2.

What are the concerns people still have regarding this? (switching gpgkey=
from http://centos.org... to /etc/pki/...)

/Peter
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 

Thread Tools




All times are GMT. The time now is 08:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org