On Sat, 2021-11-06 at 07:43 +0000, Daniel Alley wrote:
> > On Wed, Aug 11, 2021 at 10:03:50PM +0200, Marek Marczykowski-
> > Górecki wrote:
> > I do think we should drop drpms or make them more useful, but I
> > don't
> > think there's any security angle here. (see below)
> > 
> > drpms work by downloading the delta, then using it + the version
> > you
> > have installed to recreate the signed rpm (just like you downloaded
> > the
> > full signed update) and then the gpg signature is checked of that
> > full rpm,
> > just like one you downloaded. If the drpm is tampered with it won't
> > reassemble and it will fall back to the full signed rpm.
> 
> Sorry to resurrect this thread.
> 
> Another issue - which is not per-se a security issue but it's still a
> problem - is that deltarpm uses md5 checksums pervasively.  They're
> everywhere.  And it uses its own implementation of md5 which doesn't
> respect FIPS, so even when the user has *explicitly* configured their
> system to not use md5 for anything security-relevant, libdeltarpm
> won't know or care. 

md5 used as a checksum to only detect network transmission issues is
not a problem, and is not under the purview of the FIPS certification.

As mentioned above the actual packages are still finally reassembled
and the signature checked, so that is what matters in terms of security
(those algorithms and computations need to be FIPS approved and the
implementation certified).

HTH,
Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc



_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to