From ilug-admin@linux.ie Tue Oct 8 12:26:48 2002 Return-Path: Delivered-To: zzzz@localhost.example.com Received: from localhost (jalapeno [127.0.0.1]) by example.com (Postfix) with ESMTP id E41D916F03 for ; Tue, 8 Oct 2002 12:26:47 +0100 (IST) Received: from jalapeno [127.0.0.1] by localhost with IMAP (fetchmail-5.9.0) for zzzz@localhost (single-drop); Tue, 08 Oct 2002 12:26:47 +0100 (IST) Received: from lugh.tuatha.org (postfix@lugh.tuatha.org [194.125.145.45]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id g98APSK11003 for ; Tue, 8 Oct 2002 11:25:28 +0100 Received: from lugh.tuatha.org (localhost [127.0.0.1]) by lugh.tuatha.org (Postfix) with ESMTP id CAF5134206; Tue, 8 Oct 2002 11:26:11 +0100 (IST) Delivered-To: linux.ie-ilug@localhost Received: from dspsrv.com (vir.dspsrv.com [193.120.211.34]) by lugh.tuatha.org (Postfix) with ESMTP id C0B96341E1 for ; Tue, 8 Oct 2002 11:25:08 +0100 (IST) Received: from [195.17.199.3] (helo=waider.ie) by dspsrv.com with asmtp (Exim 3.36 #1) id 17yrY3-0000WN-00; Tue, 08 Oct 2002 11:25:07 +0100 Message-Id: <3DA2B226.2060209@waider.ie> From: Waider MIME-Version: 1.0 To: brendan@zen.org Cc: ilug@linux.ie Subject: Re: [ILUG] packaging risks and the reputation of linux distributions References: <200210081058.50438.brendan@zen.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: ilug-admin@linux.ie Errors-To: ilug-admin@linux.ie X-Beenthere: ilug@linux.ie X-Mailman-Version: 2.0.11 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Irish Linux Users' Group List-Unsubscribe: , List-Archive: X-Original-Date: Tue, 08 Oct 2002 12:23:34 +0200 Date: Tue, 08 Oct 2002 12:23:34 +0200 Brendan Kehoe wrote: > As a workaround, the various distributions could use a GPG singature to verify > correctness of the file. Since the distributor's secret key is required to > create that signature, it would add a pretty significant step that would have > to be taken to make it possible to replace both a rpm or apt file and its > accompanying signature. Check your local friendly Red Hat installation: [root@localhost up2date]# rpm --checksig zsh-4.0.2-2.src.rpm zsh-4.0.2-2.src.rpm: md5 gpg ok Of course, this is only as useful as, say, the gpg keys distributed with the Kernel tarballs, i.e. if you don't actually bother checking the sig then you are open to abuse. It's entirely possible that rpm can be configured to require good signatures, but I've not read that part of the fine manual just yet. Cheers, Waider. -- waider@waider.ie / Yes, it /is/ very personal of me -- Irish Linux Users' Group: ilug@linux.ie http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information. List maintainer: listmaster@linux.ie