[Yum-devel] [PATCH 2/2] Add new urlgrabber option 'csum_type'.
James Antill
james at fedoraproject.org
Wed Jul 6 15:54:58 UTC 2011
On Wed, 2011-07-06 at 11:41 -0400, seth vidal wrote:
> On Wed, 2011-07-06 at 11:27 -0400, James Antill wrote:
> > The other problem is that when you start the parallel part of the
> > downloading changes, the IO will be happening in another process ... but
> > I doubt that we can do the checksum there (due to desired security
> > boundries).
> > If we _can_ put the checksumming in the helpers, then it might be worth
> > the changes due to the fact we can parallelize the checksumming then
> > too.
> >
>
> If you can shove the expected checksum across to the downloader then you
> can get away with it over there - it just means MORE config info to
> stuff to shove to the downloader.
Yeh, I'm sure that you only want the checksum coming out of the
downloader ... as this makes it a little bit harder for an attacker who
gains control of the downloader (but maybe not much). But thinking about
it more, this means that we can't pass an object ... which means the
whole thing is screwed anyway.
> checksumming at the downloader then gpg checking inside yum seems
> reasonable as a separation, esp considering the security goals.
I'm not so sure, people keep talking about Fedora just having "built by
the Fedora infra. signing" and using the https+metalink(+repomd
signing)+checksumming to do the real security.
At that point I'm 99% sure that "the security people" will not want the
checksum happening in the untrusted part of the chain.
More information about the Yum-devel
mailing list