Re: [suse-security] Secure updating/installing of packages

[Markus Gaugusch <markus@xxxxxxxxxxx>]

On Jul 20, neodaxus@xxxxxxx <neodaxus@xxxxxxx> wrote:

> theoretically it is possible that modified packages for Linux distributions 
> are made available in order to create backdoors (e.g. through a hacked server 
> or mirror, wrong IP routing / DNS resolving, or simply someone making 
> available manipulated packages at a site under his control).
>
> I wonder how SuSE and other distros protect themselves against this threat.
> [...]
> Who knows about SuSE (YOU + Yast)?

All SuSE packages are cryptographically signed with the SuSE build key 
(build@xxxxxxx). It is automatically installed from the CDs.

In addition to that, fou4s (http://fou4s.gaugusch.at/) allows you to 
install packages that are signed with fully trusted keys, apart from the 
SuSE key.

Markus

--
__________________    /"\
Markus Gaugusch       \ /    ASCII Ribbon Campaign
markus(at)gaugusch.at  X     Against HTML Mail
                      / \

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here