[TriLUG] Fwd: Trust issues with RH and Debian package managers
Nalin Dahyabhai
nalin at redhat.com
Tue Dec 18 12:51:03 EST 2001
On Mon, Dec 17, 2001 at 06:51:44PM -0500, Donald Ball wrote:
> On Mon, 17 Dec 2001, Mike Johnson wrote:
>
> > > This is a serious issue for Linux users and I believe it should have been
> > > addressed years ago. That said, now is not too late and definitely not too
> > > early. I look forward to seeing this feature in all future releases of the
> > > major Linux distributions.
> >
> > It has already been addressed by various distributions. Red Hat
> > addressed it when they started signing their packages, yet you
> > dismissed this with a wave of your hand.
>
> i think the point is that up2date didn't warn him that the signature was
> missing, and it probably should.
The original poster wasn't using up2date:
Fourth, I went to the Redhat box and did an 'rpm -U' pointed at the
updates.redhat.com server. I got my trojanned RPM back, with no warnings
or prompts to tell me it hasn't been signed. And I had an ftp server with
a new backdoor up in a matter of minutes.
The default up2date configuration verifies signatures.
Cheers,
Nalin
More information about the TriLUG
mailing list