[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[savannah-help-public] [sr #109567] Download area link for some packages
|
From: |
Bruno Haible |
|
Subject: |
[savannah-help-public] [sr #109567] Download area link for some packages uses insecure http protocol |
|
Date: |
Sat, 6 Oct 2018 20:25:09 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 |
Follow-up Comment #2, sr #109567 (project administration):
> everyone is free to setup a mirror, and we add them to our list on their
request.
Ouch, this is bad. Someone who wants to become MITM for some packages just has
to setup a mirror, notify GNU, and add trojan horses to the sources and
binaries they offer.
> I think the only real protection is signatures.
Signatures done right would work, yes. But not in the current form:
1) It picks some mirror (in my tests, even the SAME mirror) for a file and its
signature file. (I tried
https://download.savannah.nongnu.org/releases/acl/acl-2.2.53.tar.gz and
https://download.savannah.nongnu.org/releases/acl/acl-2.2.53.tar.gz.sig.)
To enforce security, it would make sense to fetch the .sig file from the main
site and only the non-signature files from the mirror.
2) It requires that users check the signatures. Distros are doing this, but
end users often are not - because there is no easy "download + check
signature" script available. Some work may be in progress on creating such a
script, I don't know.
3) The signatures rely on PGP/GPG, and we all know that there are fake
identities floating around in the PGP/GPG servers that are only apparent when
checking more than the usual 8 digits of a key id.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/support/?109567>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/