Date: Tue, 3 Mar 2015 13:32:57 +0300 From: gremlin@...mlin.ru To: oss-security@...ts.openwall.com Subject: Re: validation on update On 2015-03-02 19:24:30 +0000, Simon McVittie wrote: >>>> Does it use any sort of package signing and signature >>>> verification? >>> Seeing as the patch only does s/http/https/, >> Obviously, that doesn't really help. > It's a start, at least... Of course, that's much better than nothing. > it tells you that this was a reply to your request, made by > someone controlling the corresponding private key for a "valid" > certificate for Maven Central's hostname. That's good for the first communication. > An end-to-end integrity check from the original publisher to > the consumer would prevent more attacks, but would also be > harder to deploy (it requires action from each publisher, Running `gpg --detach-sign < package.tar.gz > package.tar.gz.sig` (or, better, `gpg -ba ...`) on each release isn't a big deal... > verification at each consumer, Running `gpg --verify package.tar.gz.sig package.tar.gz` will do that just perfectly. And, when talking about automatic updates, that should be included into the update procedure. > and a way to determine whether publisher X is authorized to > publish package Y); `gpg --no-default-keyring --keyring /path/authors.pub --verify ...` > protecting against trivial attacks is not as good as protecting > against sophisticated attacks, but seems considerably better > than not protecting against anything at all. Yes. But I hope the software developers wouldn't stop after that and will use the above-mentioned trivial commands as well. -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ðòé gremlin ôþë ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ