From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041012 Firefox/0.10.1 Description of problem: Hackers can change mirror lists without any gpg checking and enter my box by installing trojan horses. Version-Release number of selected component (if applicable): yum-2.1.7-2 How reproducible: Always Steps to Reproduce: 1. Hack into fedora.redhat.com 2. Change mirror list to evil url with trojan horses installed 3. Wait for unsuspecting souls to download your trojan horses 4. Become the l33t h4x0r Actual Results: Your box is broken into. Expected Results: mirror lists should be GPG signed. Additional info:
FWIW, the evil hackers will also need to sign their packages with Red Hat's GPG keys (or other widely used GPG keys) in order for it to succeed -- at least, if you leave GPG signature checking of packages enabled. So, I'm not sure this is as serious as you suggest. (It would still be a good thing to improve though.)
Yes, unfortunately, the default yum.conf from Fedora does not have gpgcheck turned on.
Not in Rawhide b/c the packages in rawhide are not signed. However, i am hoping for gpgcheck=1 to be the default for FC3 yum.conf.
Bringing this forward as a reminder. If it isn't possible then please remove "blocker".
removing as a blocker. No way to get those code written and tested in that short of a time. all packages are gpgsigned - the mirrorlists shouldn't be a problem by themselves.