LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Attacks on package managers

Attacks on package managers

Posted Apr 11, 2009 4:03 UTC (Sat) by lurk546 (subscriber, #17438)
In reply to: Attacks on package managers by mdomsch
Parent article: Attacks on package managers

Unsigned packages occasionally show up on the released versions of Fedora, but they tend to be the exception.

Unfortunately I ran across a lot of unsigned packages whie testing Fedora 11 Beta today. Apparently it's a big enough problem that the default repository is set to not check gpg signatures of packages. I tried turning it on and using the other repositories for fedora 11 , but I ran into a lot of packages that would not install because of GPG signature problems.

This seems like an important flaw to fix considering a significant fraction of rawhide users are likely to be package developers and may perhaps have access to some important servers.

I hope this was only changed due to issues regarding the switch to the new hash, and will be corrected quickly.

(Log in to post comments)

Re: Attacks on package managers

Posted Apr 14, 2009 19:10 UTC (Tue) by nevyn (subscriber, #33129) [Link]

Duh, rawhide isn't signed. Fedora only signs the releases (what normal people use). However in current rawhide they also have metalink to provide security (sha256 hashes of everything) of the repodata.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds