RFE: Add opt-in metadata signature verification.

Bug #656501 reported by Jeff Johnson
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Jeff Johnson

Bug Description

RPM 5.3 has dropped signature verification on headers retrieved
from an rpmdb because
    1) there's no known benefit or increase in security
    2) there's a performance penalty which -- while not large -- doesn't meet
    luser expectations.

Verifying the signature on the header metadata blob needs to be resurrected as
"opt-in" functionality with --verify, and (for extra credit) performed on a separate thread.

Tags: rpmdb sign verify
Jeff Johnson (n3npq)
Changed in rpm:
assignee: nobody → Jeff Johnson (n3npq)
status: New → Confirmed
importance: Undecided → Medium
tags: added: rpmdb sign verify
Jeff Johnson (n3npq)
summary: - RFE: Add opt-in metadata sugnature verification.
+ RFE: Add opt-in metadata signature verification.
Revision history for this message
Jeff Johnson (n3npq) wrote :

Verifying header signatures was add to --verify a while ago.
The operation is also multi-threaded using -fopenmp as well.

Changed in rpm:
status: Confirmed → Fix Released
milestone: none → 5.3.12
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.