Signed packages alone is not sufficient to protect the system from malicious software... [LWN.net]

Signed packages alone is not sufficient to protect the system from malicious software...

Posted Nov 20, 2009 1:27 UTC (Fri) by drag (subscriber, #31333)
Parent article: Fedora 12 lets unprivileged users install packages

I was reading through the comments on the mailing list and I realize now
that having signed packages is insufficient to guarantee the security of
the packages.

The reason is because if a person uses a malicious mirror they can retain
outdated copies of the packages that contain known vulnerabilities. Then
they can trick administrators into using these outdated mirrors through a
MITM attack or DNS poisoning or something like that.

However this is a vulnerability for any method of updating your system.
This affects, but is not reserved to PackageKit... yum/apt-get/wget
pipes/etc are affected.

So the solution is that the server you download the lists of packages from
must be authenticated and communication must be secure through mechanisms
like TLS. Now the packages themselves don't have to be downloaded via a
TLS/SSL secured server because they are signed.. but the package management
system must always have the updated lists provided through a more secure
mechanism.

(Log in to post comments)

Signed packages alone is not sufficient to protect the system from malicious software...

Posted Nov 20, 2009 14:55 UTC (Fri) by skvidal (subscriber, #3094) [Link]

metalinks are the default mechanism for getting the mirrorlist from fedora. They are accessed over https and urlgrabber in f12 checks certificates properly.
So, yes, that's done.