[Yum-devel] [PATCH] Check internal sqlite checksum

Florian Festi ffesti at redhat.com
Thu Aug 23 10:19:12 UTC 2007


Florian Festi wrote:
> seth vidal wrote:
>> I don't think we want to make them locally. For verification purposes
>> it's a dicey proposition.
>>
>> Think about this:
>>
>> if we see that the sqlite file is changed - how do we know it was
>> changed due to index generation and not due to someone mucking with our
>> metadata?
> 
> While I belief it is possible to create the indexes in a sane way 
> locally this would require some more thought.

As I had a night of sleep it doesn't seam to be that hard. We have to make 
sure that we do a real checksum check after downloading the sqlite file to 
make sure the mirrors don't mess with us and to keep the (yet to forge) 
signing chain closed.

After the file is written to disc we don't need to verify it over and over 
again for every yum run. /var/cache/yum is root territory and if someone is 
capable to mess with that he owns your system anyway.

Patch is attached although I don't know if we want it to be in F8 already.

Florian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Check-only-internal-checksum-of-already-existing-sql.patch
Type: text/x-patch
Size: 2722 bytes
Desc: not available
Url : http://lists.baseurl.org/pipermail/yum-devel/attachments/20070823/fd50e32d/attachment.bin 


More information about the Yum-devel mailing list