On October 22, 2004 10:54, Mikkel L. Ellertson wrote: > cervixcouch wrote: > > So how exactly does one safeguard against a trojan when installing an > > RPM? > > Check the signiture of the RPM, to be sure it is realy from the source > you think it is. You can also look at the file list, and the scripts > that are run when installing, removing, ect. I use Midnight Commander > (mc) to look at what is in the RPM, and "rpm --checksig <rpm name>" to > verify the RPM. urpmi also checks the signiture, and asks you about > installing if it doesn't match. (Not sure what it does if they do not > match when running in the auto mode.) You do have to make sure your > keys are kept up to date. ... > Mikkel
This is interesting, given the oft-repeated advice on this list to ignore the urpmi warnings about signatures not matching and install anyway! The signature check is there for a reason, to detect tampering (by someone other than the package distributer of course, since they can tamper with it and still sign it). The only way someone other that the distributor can tamper with a package without setting off the warning is by cracking the host and obtaining the private signing key. Of course, if you don't have the correct keys installed, you get this warning for everything. This is part of the safeguard - you first have to make an explicit decision to trust the key by installing it. But if you take the lazy way out and just hit "y" for every signature warning, you are leaving yourself open to tampering. If you are obtaining rpms from a site other than the standard ones (for which the keys are pre-installed), in addition to checking the reputation of the distributor, you should insist on a key from them for you to install, such as the one our friendly neighbourhood Charles Edwards provides. Also insist that all the packages be signed using that key. Of course, you have to trust that the key hasn't been tampered with as well. The really paranoid among us rely on key signatures exchanged by some other channel, such as telephone, to verify a key before installing it. It's kind of like Spy vs. Spy. -- Ron Hunter-Duvar ronhd at users dot sourceforge dot net Opinions expressed here are all mine. Rights to use these opinions are granted under the GNU GPL.
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________