On 11/6/21 6:47 AM, Neal Gompa wrote:
On Sat, Nov 6, 2021 at 3:43 AM Daniel Alley <dalley(a)redhat.com>
wrote:
>
>> On Wed, Aug 11, 2021 at 10:03:50PM +0200, Marek Marczykowski-Górecki wrote:
>> I do think we should drop drpms or make them more useful, but I don't
>> think there's any security angle here. (see below)
>>
>> drpms work by downloading the delta, then using it + the version you
>> have installed to recreate the signed rpm (just like you downloaded the
>> full signed update) and then the gpg signature is checked of that full rpm,
>> just like one you downloaded. If the drpm is tampered with it won't
>> reassemble and it will fall back to the full signed rpm.
>
> Sorry to resurrect this thread.
>
> Another issue - which is not per-se a security issue but it's still a problem -
is that deltarpm uses md5 checksums pervasively. They're everywhere. And it uses its
own implementation of md5 which doesn't respect FIPS, so even when the user has
*explicitly* configured their system to not use md5 for anything security-relevant,
libdeltarpm won't know or care.
This is not true with libdrpm though, and that version is what
createrepo_c uses.
Yes, but createrepo_c isn’t what runs on end-user devices.
Sincerely,
Demi Marie Obenour (she/her/hers)