LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   SUSE / openSUSE (https://www.linuxquestions.org/questions/suse-opensuse-60/)
-   -   How YOU (Yast Online Update) verifies package integrity before installation? (https://www.linuxquestions.org/questions/suse-opensuse-60/how-you-yast-online-update-verifies-package-integrity-before-installation-363860/)

tux_addicted 09-16-2005 03:47 AM
How YOU (Yast Online Update) verifies package integrity before installation?
 
Hi all!

I have google'd around a few minutes but i have not found something that answer to the question: How YOU could 'know' that the packages download-ed from an update server/mirror are the 'real' ones?
Let's say we have an update available for package Xyz on some server.
So, before doing an update, it could retrieve from a suse server ( i.e. a server _administrated_ by SUSE ) a simple LIST in the form ( XYZ <--> md5) and, after comparing the md5 ( performed by the YOU ) with the one from the LIST, we could relatively know it's 'ok'..

Does someone has an idea of how it works?

Thanks.

abisko00 09-16-2005 04:10 AM
I don't know the exact procedure, but from reading /var/log/YaST2/y2log I learned that YOU is checking signatures of each patch:
Code:
[liby2util++] GPGCheck.cc(GPGCheck):30 Directory '/var/lib/YaST2/gnupg' exists.
[packagemanager++] PMYouPatchInfo.cc(readDir):400 Check signature of '/var/lib/YaST2/you/mnt/i386/update/9.1/patches/fetchmsttfonts-3'
[packagemanager++] PMYouPatchInfo.cc(readDir):407 Signature ok.
Furthermore, YOU is receiving the list of update servers automatically from http://www.suse.de/cgi-bin/suseservers.cgi, which gives some additional security.

tux_addicted 09-16-2005 04:25 AM
Quote:
Originally posted by abisko00
I don't know the exact procedure, but from reading /var/log/YaST2/y2log I learned that YOU is checking signatures of each patch:
Code:
[liby2util++] GPGCheck.cc(GPGCheck):30 Directory '/var/lib/YaST2/gnupg' exists.
[packagemanager++] PMYouPatchInfo.cc(readDir):400 Check signature of '/var/lib/YaST2/you/mnt/i386/update/9.1/patches/fetchmsttfonts-3'
[packagemanager++] PMYouPatchInfo.cc(readDir):407 Signature ok.
Furthermore, YOU is receiving the list of update servers automatically from http://www.suse.de/cgi-bin/suseservers.cgi, which gives some additional security.
Thanks! :)

I think i will sleep much better at night.. ;) :D


All times are GMT -5. The time now is 04:15 AM.