Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Automatic updates (was: Nokia 7110 Wap Browser Hole)

From: Thierry Mallard <thierry.mallard () IDEALX COM>
Date: Sun, 23 Jul 2000 18:40:36 +0200
On Sun, Jul 23, 2000 at 02:04:59AM +0200, Bluefish wrote:

[...]
But honestly I don't think automatic updates must be less secure than
simply pointing your browser to windowsupdate.microsoft, or worse, totally
unauthenticated updates like red hat's rpm. 


I don't know much about security, but I noticed Mandrake (or probably RedHat)
rpms are gpg signed :

Before having incorporated the public key :

[tsm@calvin RPMS]$ rpm --checksig qt-devel-1.44-20mdk.i586.rpm 
qt-devel-1.44-20mdk.i586.rpm: md5 GPG NOT OK


After incorporation :
[tsm@calvin RPMS]$ gpg --import RPM-GPG-KEYS 
gpg: clé 9B4A4024 : clé publique importée
gpg:        Quantité totale traitée : 1
gpg:                       importée : 1

[tsm@calvin RPMS]$ rpm --checksig qt-devel-1.44-20mdk.i586.rpm 
qt-devel-1.44-20mdk.i586.rpm: md5 gpg OK


Just my two cents...


-- 
Thierry Mallard                    | GnuPG key on pgp.ai.mit.edu
http://IDEALX.com                  | key 0xA3D021CB
http://thierry.mallard.com         |

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: