LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Suse/Novell
User Name
Password
Suse/Novell This Forum is for the discussion of Suse Linux.

Notices

Reply
 
Search this Thread
Old 09-16-2005, 03:47 AM   #1
tux_addicted
LQ Newbie
 
Registered: Aug 2005
Posts: 18

Rep: Reputation: 0
How YOU (Yast Online Update) verifies package integrity before installation?


Hi all!

I have google'd around a few minutes but i have not found something that answer to the question: How YOU could 'know' that the packages download-ed from an update server/mirror are the 'real' ones?
Let's say we have an update available for package Xyz on some server.
So, before doing an update, it could retrieve from a suse server ( i.e. a server _administrated_ by SUSE ) a simple LIST in the form ( XYZ <--> md5) and, after comparing the md5 ( performed by the YOU ) with the one from the LIST, we could relatively know it's 'ok'..

Does someone has an idea of how it works?

Thanks.
 
Old 09-16-2005, 04:10 AM   #2
abisko00
Senior Member
 
Registered: Mar 2004
Location: Munich
Distribution: SuSE, Ubuntu
Posts: 3,511

Rep: Reputation: 58
I don't know the exact procedure, but from reading /var/log/YaST2/y2log I learned that YOU is checking signatures of each patch:
Code:
[liby2util++] GPGCheck.cc(GPGCheck):30 Directory '/var/lib/YaST2/gnupg' exists.
[packagemanager++] PMYouPatchInfo.cc(readDir):400 Check signature of '/var/lib/YaST2/you/mnt/i386/update/9.1/patches/fetchmsttfonts-3'
[packagemanager++] PMYouPatchInfo.cc(readDir):407 Signature ok.
Furthermore, YOU is receiving the list of update servers automatically from http://www.suse.de/cgi-bin/suseservers.cgi, which gives some additional security.
 
Old 09-16-2005, 04:25 AM   #3
tux_addicted
LQ Newbie
 
Registered: Aug 2005
Posts: 18

Original Poster
Rep: Reputation: 0
Talking

Quote:
Originally posted by abisko00
I don't know the exact procedure, but from reading /var/log/YaST2/y2log I learned that YOU is checking signatures of each patch:
Code:
[liby2util++] GPGCheck.cc(GPGCheck):30 Directory '/var/lib/YaST2/gnupg' exists.
[packagemanager++] PMYouPatchInfo.cc(readDir):400 Check signature of '/var/lib/YaST2/you/mnt/i386/update/9.1/patches/fetchmsttfonts-3'
[packagemanager++] PMYouPatchInfo.cc(readDir):407 Signature ok.
Furthermore, YOU is receiving the list of update servers automatically from http://www.suse.de/cgi-bin/suseservers.cgi, which gives some additional security.
Thanks!

I think i will sleep much better at night..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with NVIDIA drivers after kernel update with yast online update Sheytan Linux - Software 4 05-06-2007 10:27 AM
YaST Online Update(YOU) Kernel Update? batorma Linux - Newbie 9 10-30-2005 03:17 AM
online update Yast zoolmoon Linux - Newbie 1 03-23-2005 02:01 AM
Problems with NVIDIA drivers after kernel update with yast online update Sheytan Linux - Distributions 0 10-13-2004 11:01 AM
Yast online update sniff Linux - Distributions 3 03-20-2003 12:51 AM


All times are GMT -5. The time now is 11:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration