On Thu, 17 May 2007, Keith Lofstrom wrote:

> I run ancient old tripwire nightly on my machines.  Yesterday, on my
> SL4.4 laptop, I noticed that it had found changes to  "vipw" and other
> security related tools.  A little concerned, I downloaded the latest
> version of chkrootkit and ran it, finding no problems.  I looked at
> the yum logs, and found a yum upgrade of util-linux from sl-errata;
> the header file shows that vipw and the rest had been updated.
>
> False alarm, I am probably safe, assuming no outbreak of evil at SL or
> TUV (=The Upstream Vendor in North Carolina, for those wondering).

I should have commented that turning on gpgcheck in each of the repos you 
have enabled for updates will ensure that someone can't just get you to 
run arbitrary code if they break into the SL servers (or whichever mirror 
you use).  Instead they would also need for force one of the sl people to 
sign the didgy package as well...

Of course that will only work if you have imported the GPG keys for the 
people/sites you trust, or does yum do that automatically (I see there is 
a gpgkey entry for each repo listing the keys one expects to find used 
there).

I'm now puzzling over why the default seems to be to ship with all the 
yum.repos.d/ entries having gpgcheck=0 surely the extra work of doing a 
sig-check isn't so great is it?

  -- Jon