[TriLUG] Tsk Tsk Tsk...

Beth Ellison leonardbernst55 at hotmail.com
Fri Oct 26 08:51:05 EDT 2001


errata (authenticity guaranteed ;) for the PGP situation is available at the 
Red Hat site, too.

http://www.redhat.com/support/errata/rh72-errata.html


>From: Marty Ferguson <marty.ferguson at pobox.com>
>Reply-To: trilug at trilug.org
>To: trilug at trilug.org
>Subject: [TriLUG] Tsk Tsk Tsk...
>Date: Thu, 25 Oct 2001 19:32:45 -0400
>
>Apparently Red Hat did not PGP sign some of the RPMs included
>in the 7.2 disribution.  These files are on various FTP sites,
>including ibiblio over at UNC.
>
>See:
>
>http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0019.html
>
>I find the bullet down on this security briefing page to be particularly
>misleading:
>
>http://www.info-sec.com/OSsec/OSsec_1.shtml
>
>It's not untill after reading the full text of the article that the reader
>discovers that the warning isn't about the acutal Red Hat 7.2 distribution,
>but rather the inabilty to authentecate.  A subtlety like that is easily 
>lost
>in the popular press
>
>Actually, the only way to *really* *really* guarantee autheticity would be
>to purchase a box set.  And in fact, how could we even verify the 
>authenticity
>of a box set sold at Best Buy?  Perhaps it is safest to purchase directly
>from the Red Hat web site...   ;-)
>
>This blunder may lead to increased sales of the boxed set by those who
>insist on having 7.2, but may lead to a smaller installed base of 7.2 due
>to the problem of authentcation.
>
>What, no $30 box set anymore?
>And ISO images of the $79 box set can't be easily authenticated?
>
>I suppose someone could do a binary compare ( cmp ) between known authentic
>RH 7.2 media and the files on the various FTP sites.
>
>The bad thing about the unsigned RMPs is that rogue versions can be
>substituted by unscrupulous people.
>
>You can check the GPG key all by itself using the -K option in rpm:
>
>==========================
>i've copied the zsh rpm into my home directory
>i dd the file to copy it, leaving off the last byte of the file,
>and i use rpm -K to check the original and the "bogus" version, test.rpm
>==============
>
>[marty at lx3 marty]$ ls -l zsh-3.0.8-8.i386.rpm
>-rw-r--r--    1 marty    marty      503936 Oct 25 14:18 
>zsh-3.0.8-8.i386.rpm
>[marty at lx3 marty]$ rpm -K zsh-3.0.8-8.i386.rpm
>zsh-3.0.8-8.i386.rpm: md5 (GPG) OK (MISSING KEYS: GPG#DB42A60E)
>[marty at lx3 marty]$ dd if=zsh-3.0.8-8.i386.rpm of=test.rpm bs=1 count=503935
>503935+0 records in
>503935+0 records out
>[marty at lx3 marty]$ rpm -K test.rpm
>error: test.rpm: rpmReadSignature failed
>
>=============================
>
>Regards,
>Marty
>
>
>_______________________________________________
>TriLUG mailing list
>http://www.trilug.org/mailman/listinfo/trilug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




More information about the TriLUG mailing list