On 11/14/2017 11:14 AM, Steve Grubb wrote:
It's for checking that the metadata hasn't been tampered with since signing. For example, suppose you need some packages out of EPEL. EPEL has a distributed mirror list that volunteers contribute bandwidth for everyone's benefit. However, what if their server became compromised and an attacker removed the entry for a critical package update for a network facing daemon? The intent being to keep people from patching to allow more compromises.
Ultimately, I see this example as an impact to availability and not integrity. Assuming the EPEL package signing key was not compromised (I certainly hope EPEL mirrors are not given the package signing key), a modification to the repo metadata will not prevent my systems from verifying the integrity of the software in each package. If a package or patch is missing in the repo, other controls are in place to monitor this (even on FIPS low systems).
I am completely behind "gpgcheck" being a CAT I, but I am not convinced "repo_gpgcheck" should be any higher than CAT II.