On Sat, Nov 6, 2021 at 3:43 AM Daniel Alley <dalley(a)redhat.com> wrote:
> On Wed, Aug 11, 2021 at 10:03:50PM +0200, Marek Marczykowski-Górecki wrote:
> I do think we should drop drpms or make them more useful, but I don't
> think there's any security angle here. (see below)
>
> drpms work by downloading the delta, then using it + the version you
> have installed to recreate the signed rpm (just like you downloaded the
> full signed update) and then the gpg signature is checked of that full rpm,
> just like one you downloaded. If the drpm is tampered with it won't
> reassemble and it will fall back to the full signed rpm.
Sorry to resurrect this thread.
Another issue - which is not per-se a security issue but it's still a problem - is
that deltarpm uses md5 checksums pervasively. They're everywhere. And it uses its
own implementation of md5 which doesn't respect FIPS, so even when the user has
*explicitly* configured their system to not use md5 for anything security-relevant,
libdeltarpm won't know or care.
This is not true with libdrpm though, and that version is what
createrepo_c uses.
That said, it *is* also possible to create DeltaRPMs separately from
using createrepo_c, especially by building upon libdrpm, we just
haven't done it.
--
真実はいつも一つ!/ Always, there's only one truth!