On 11/6/21 6:47 AM, Neal Gompa wrote: > On Sat, Nov 6, 2021 at 3:43 AM Daniel Alley <dal...@redhat.com> wrote: >> >>> On Wed, Aug 11, 2021 at 10:03:50PM +0200, Marek Marczykowski-Górecki wrote: >>> I do think we should drop drpms or make them more useful, but I don't >>> think there's any security angle here. (see below) >>> >>> drpms work by downloading the delta, then using it + the version you >>> have installed to recreate the signed rpm (just like you downloaded the >>> full signed update) and then the gpg signature is checked of that full rpm, >>> just like one you downloaded. If the drpm is tampered with it won't >>> reassemble and it will fall back to the full signed rpm. >> >> Sorry to resurrect this thread. >> >> Another issue - which is not per-se a security issue but it's still a >> problem - is that deltarpm uses md5 checksums pervasively. They're >> everywhere. And it uses its own implementation of md5 which doesn't respect >> FIPS, so even when the user has *explicitly* configured their system to not >> use md5 for anything security-relevant, libdeltarpm won't know or care. > > This is not true with libdrpm though, and that version is what > createrepo_c uses.
Yes, but createrepo_c isn’t what runs on end-user devices. Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
