[Rpm-maint] [rpm-software-management/rpm] Make 'rpm -V' more resistent against rpmdb manipulations (#196)

Jeff Johnson notifications at github.com
Mon Apr 10 16:18:20 UTC 2017


Blockchain  can establish that an rpmdb event happened. That isn't enough because a root kit can either fake an rpmdb event, or skip using blockchain to register the event.

On a compromised system, any executable, including the tools used to track installs, can be altered.

Creating a trusted 3rd party store of "orphaned" metadata (like you are describing with EPEL) might use a blockchain to track its updates, and provide metadata and file digests for "rpm -Vp" instead of RO media.

(aside)
There are security protocols in the TCG MTM spec to handle software installations and forensics for manage mobile devices that could be used for an rpmdb. However adding rpm to the "trusted base" would take an effort comparable to switching to "secure boot" on linux.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/196#issuecomment-293000462
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170410/53977be8/attachment.html>


More information about the Rpm-maint mailing list