Bug 1130491
Summary: | yum repo metadata is not verified (repomd.xml.asc not present, repo_gpgcheck not enabled) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joonas <joonas.lehtonen> |
Component: | fedora-release | Assignee: | Dennis Gilmore <dennis> |
Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | dennis, fedora, jdisnard, opensource, pspacek |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-21 19:43:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joonas
2014-08-15 11:58:08 UTC
we have worked around signing repodata by using metalinks in mirrormanager. you request the metalink via a https url that can be verified, it contains the sha sums of the repomd.xml file which then lets you validate that everything is okay and secure and prevents you from any mitm attacks. Apparently the https://mirrors.fedoraproject.org/metalink?repo=fedora-22&arch=x86_64 actually contains some hashes of the metadata but mirrorlink is more like poor man's solution (and actually not a 'solution'). In my eyes the problem is that all the security depends on the fact that Yum uses TLS to download the mirror list. I.e. it effectively protects only users who did not change the yum configuration to use local mirror directly instead of mirrorlist. This happens a lot in internal networks where you have site-wide mirrors of repos etc. Can we reconsider this and sign the metadata so all users who just mirror official repos are protected against simple attacks where attacker simply lets older packages in repo? Thank you. This is tracked in the rel-eng track: https://fedorahosted.org/rel-eng/ticket/1501 |