From: Mark Hatle <mark.hatle@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] rpm-5.4.14: disable external key server
Date: Fri, 26 Jun 2015 09:00:49 -0500 [thread overview]
Message-ID: <558D5B11.7020900@windriver.com> (raw)
In-Reply-To: <1435301841-15924-1-git-send-email-rongqing.li@windriver.com>
On 6/26/15 1:57 AM, rongqing.li@windriver.com wrote:
> From: yzhu1 <yanjun.zhu@windriver.com>
>
> When rpm makes header verification, rpm will send request to the
> extern server, this is a potential risk.
Just to explain what this is. When RPM experiences a signed package, with a
signature that it does NOT know. By default it will send the -fingerprint- (and
only the 16 digit fingerprint) to an external HKP server, trying to get the key
down.
This is probably not a reasonable default behavior for the system to do, instead
it should simply fail the key lookup. If someone wants to enable the HKP server
it's easy enough to do by enabling the necessary macros.
> Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
> ---
> .../rpm-macros.in-disable-external-key-server.patch | 21 +++++++++++++++++++++
> meta/recipes-devtools/rpm/rpm_5.4.14.bb | 1 +
> 2 files changed, 22 insertions(+)
> create mode 100644 meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch
>
> diff --git a/meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch b/meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch
> new file mode 100644
> index 0000000..206f258
> --- /dev/null
> +++ b/meta/recipes-devtools/rpm/rpm/rpm-macros.in-disable-external-key-server.patch
> @@ -0,0 +1,21 @@
> +disable external key server
> +
> +Upstream-Status: Pending
> +
> +When rpm makes header verification, rpm will send request to the
> +extern server, this is a potential risk.
> +
> +Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
> +--- a/macros/macros.in
> ++++ b/macros/macros.in
> +@@ -546,8 +546,8 @@ $_arbitrary_tags_tests Foo:Bar
> + # Horowitz Key Protocol server configuration
> + #
> + #%_hkp_keyserver hkp://keys.n3npq.net
> +-%_hkp_keyserver hkp://pool.sks-keyservers.net
> +-%_hkp_keyserver_query %{_hkp_keyserver}/pks/lookup?op=get&search=
> ++#%_hkp_keyserver hkp://pool.sks-keyservers.net
> ++#%_hkp_keyserver_query %{_hkp_keyserver}/pks/lookup?op=get&search=
> +
> +
> + %_nssdb_path /etc/pki/nssdb
> diff --git a/meta/recipes-devtools/rpm/rpm_5.4.14.bb b/meta/recipes-devtools/rpm/rpm_5.4.14.bb
> index 75b1ae2..666a68e 100644
> --- a/meta/recipes-devtools/rpm/rpm_5.4.14.bb
> +++ b/meta/recipes-devtools/rpm/rpm_5.4.14.bb
> @@ -92,6 +92,7 @@ SRC_URI = "http://www.rpm5.org/files/rpm/rpm-5.4/rpm-5.4.14-0.20131024.src.rpm;e
> file://rpm-realpath.patch \
> file://0001-using-poptParseArgvString-to-parse-the-_gpg_check_pa.patch \
> file://no-ldflags-in-pkgconfig.patch \
> + file://rpm-macros.in-disable-external-key-server.patch \
> "
>
> # Uncomment the following line to enable platform score debugging
>
prev parent reply other threads:[~2015-06-26 14:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-26 6:57 [PATCH] rpm-5.4.14: disable external key server rongqing.li
2015-06-26 14:00 ` Mark Hatle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=558D5B11.7020900@windriver.com \
--to=mark.hatle@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox