Ask Your Question
2

fedora/updates repository safety

asked 2018-09-16 17:26:53 -0500

mb3 gravatar image

I'm coming from an Ubuntu background. I've switched over to Fedora and am just wondering about the safety precautions to take when installing packages from the fedora and updates repos. What kind of vetting process are done? Have there been any reports of malware on the repos? What about rpm fusion repos? Are those more "risky"?

edit retag flag offensive close merge delete

Comments

I think your question is more about security than safety.

genodeftest gravatar imagegenodeftest ( 2018-09-18 04:07:33 -0500 )edit

3 Answers

Sort by » oldest newest most voted
4

answered 2018-09-18 04:28:23 -0500

genodeftest gravatar image

updated 2018-09-21 09:35:55 -0500

Fedora official repositories:

How does an update to a package come into fedora:

  1. The package maintainer(s) or anyone else with write access to the package repository pushes a commit to the git repositories. You can find one such repository here: https://src.fedoraproject.org/rpms/gs.... This requires git access through an SSH key. Maybe username+password is also possible.
  2. The package maintainer(s) or anyone else with write access to the package repository triggers a koji build. Requires the SSH key.
  3. The package gets pushed to the updates-testing repository. It is being tested and needs to get at least 3 upvotes or stay untested for a longer time to get pushed to the updatesrepository. Votes are happening through username+password login on an TLS-encrypted website, https://bodhi.fedoraproject.org/.²
  4. The package lists on the server are signed using a GPG key installed to /etc/pki/rpm-gpg
  5. The package list contains signatures (checksums) of all package RPMs that will be checked by your local dnf instance on installation.

When a new package is added to Fedora, several people have a look at the process so they may spot security issues. Everything else works as listed above.

¹: Package list checking can be disabled or enabled. Check whether the file /etc/dnf/dnf.conf has a line gpgcheck=True (the default) and the repository configuration in /etc/yum.repos.d/ does NOT have this line.

²: Bodhi is not enabled for rawhide, the early development branch of Fedora. Each package directly goes to the repository without going through the testing procedure. This happens before the "Beta Freeze", i.e. any package landing in Fedora Beta must have been there for a few weeks. Any package added to Fedora later (e.g. to the stable version) must go through bodhi.

Some possible attack vectors protected against:

  • Assumption: The package maintainer introduces malware. This is publicly visible in the git repo. It may or may not be spotted when testing the Beta or in bodhi.
  • Assumption: Third party attacker introduces modified packages to the mirrors. Dnf will notify incorrect signatures and not install the package.
  • Assumption: Man in the middle attack on your internet connection. Dnf will notify incorrect signatures and abort.

Protection missing against:

  • Attackers which can break SSH or GPG
  • Attacks on package mantainers

More details on this process can be found on the wiki. Have a look at the Fedora wiki for a start.

EDIT: There is also a nice blog post in Fedora magazine about the process.

edit flag offensive delete link more

Comments

Thanks! This is exactly what I was looking for! I appreciate your analysis

mb3 gravatar imagemb3 ( 2018-09-18 10:35:59 -0500 )edit
1

Might add that the gpg keys for prevous and the next two fedora releases are distributed as gpg-signed rpm files and updated through dnf.

The checksums of the iso files are provided in a file which is gpg signed, so you would be able to verify the authenticity of the downloaded iso file.

villykruse gravatar imagevillykruse ( 2018-09-21 10:23:04 -0500 )edit
1

answered 2018-09-18 04:09:20 -0500

genodeftest gravatar image

About third party repositories:

RPMFusion has a history of bad infrastructure with outdated server software or providing HTTPS on their web servers. They also happen to disable PGP package signing/verification from time to time. Their IT security is ok, but worse compared to the official repositories.

I took a look on other third-party repositories a while ago and all of them had bad or worse safety/security architecture.

edit flag offensive delete link more

Comments

Really? Thanks for the heads up. I'll keep an eye out.

mb3 gravatar imagemb3 ( 2018-09-18 10:36:48 -0500 )edit

Question Tools

1 follower

Stats

Asked: 2018-09-16 17:26:53 -0500

Seen: 383 times

Last updated: Sep 21 '18