On Wednesday 23 October 2002 03:17 pm, James Stevenson wrote:
> > Be surprised: I run "gpg --verify foo.tgz.sign foo.tgz" every time I
> > download from kernel.org. And, "rpm --checksig *.rpm" on stuff from
> > redhat.com too.
>
> and when an attacker looks into your .bash_history see this and modifies
> gpg and rpm ?
First, I use ksh, so the kiddie is looking into the wrong history. ;^)
Second, I'm trying to keep him/her/git out by not loading a trojaned package.
Once the scumbag is inside your box, it's much harder to throw them out. In
fact, a reinstall is usually in order.
Third, if they don't do it already, I'd like kpackage, gnorpm, and similar
tools to always check signatures before loading a package. (And, for the GPG
public keys used to have come with trust signatures from the installation
CD.) That would really help with all the newbies to *nix coming on board
now.
PS: If you don't trust your gpg or rpm, boot off install CD # 1, switch to a
text console, and use the ones on the CD. QED. :^)
--
James Cleverdon
IBM xSeries Linux Solutions
{jamesclv(Unix, preferred), cleverdj(Notes)} at us dot ibm dot com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Oct 23 2002 - 22:01:06 EST