On Wed, Aug 11, 2021 at 10:03:50PM +0200, Marek Marczykowski-Górecki
wrote:
I do think we should drop drpms or make them more useful, but I don't
think there's any security angle here. (see below)
drpms work by downloading the delta, then using it + the version you
have installed to recreate the signed rpm (just like you downloaded the
full signed update) and then the gpg signature is checked of that full rpm,
just like one you downloaded. If the drpm is tampered with it won't
reassemble and it will fall back to the full signed rpm.
Sorry to resurrect this thread.
Another issue - which is not per-se a security issue but it's still a problem - is
that deltarpm uses md5 checksums pervasively. They're everywhere. And it uses its
own implementation of md5 which doesn't respect FIPS, so even when the user has
*explicitly* configured their system to not use md5 for anything security-relevant,
libdeltarpm won't know or care.