Red Hat Bugzilla – Bug 135813
mirrorlists are not gpg signed
Last modified: 2014-01-21 17:50:23 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041012
Description of problem:
Hackers can change mirror lists without any gpg checking and enter my
box by installing trojan horses.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Hack into fedora.redhat.com
2. Change mirror list to evil url with trojan horses installed
3. Wait for unsuspecting souls to download your trojan horses
4. Become the l33t h4x0r
Actual Results: Your box is broken into.
Expected Results: mirror lists should be GPG signed.
FWIW, the evil hackers will also need to sign their packages with Red
Hat's GPG keys (or other widely used GPG keys) in order for it to
succeed -- at least, if you leave GPG signature checking of packages
enabled. So, I'm not sure this is as serious as you suggest. (It would
still be a good thing to improve though.)
Yes, unfortunately, the default yum.conf from Fedora does not have
gpgcheck turned on.
Not in Rawhide b/c the packages in rawhide are not signed.
However, i am hoping for gpgcheck=1 to be the default for FC3 yum.conf.
Bringing this forward as a reminder. If it isn't possible then please
removing as a blocker. No way to get those code written and tested in
that short of a time.
all packages are gpgsigned - the mirrorlists shouldn't be a problem by