[Yum] Error updating RH8
R P Herrold
herrold at owlriver.com
Wed Jan 15 19:10:04 UTC 2003
On Wed, 15 Jan 2003, Michael A. Peterson wrote:
> May I suggest that yum checks that the downloaded header file is not just
> a 404 error from the web server? :)
Certainly -- lots of good coding parctice options exist --
also check that size is non-zero; and here, that the gzip CRC
checksum is intact, and later, that the header has all four
fields of another version. We are spoiled by the robustmess
of the internet as a transport, when stuff mostly works.
But there are evil people out there, and yum headers are not
GPG signed -- It seems there are possibilities for exploits
which could be forged and pushed out if a yum mirror were
compromised, and cleverly written rogue content .hdr's were
substituted; as was the case with the tcpdump, and sendmail
mirrors in recent months ... a good gzip checksum should be
trivial to forge -- maybe more is needed to confirm the
'goodness' of a header still. Food for thought.
One of the things that drives me nuts on python is that it is
so direct in pointing out (via stack traces) that one has
not checked all return codes. <smile>
-- Russ Herrold
More information about the Yum
mailing list