[Lazarus] An online package manager

Tony Whyman tony.whyman at mccallumwhyman.com
Mon Aug 10 17:33:40 CEST 2015



On 10/08/15 16:15, Michael Van Canneyt wrote:
>> 4. All packages in the repository should be signed (e.g. using a GPG 
>> user key). Only packages signed using a known key should be allowed 
>> to install.
>
> I don't see the point in that. 

An online repository is potentially vulnerable to:

- DoS Attacks
- Man in the middle attacks
- Unauthorised modification of repository data

DoS is probably out of scope and man in the middle could be countered by 
demanding https only. However, I don't think I would like to claim that 
any website is invulnerable to unauthorised modification. Hence why I 
propose that a digital signature is available for each file in the 
repository. The basic idea is that the signing key is only available to 
an authorised user (probably 3DES encrypted) and thus even if an 
attacker succeeds in uploading a malicious file, the attack is not 
unsuccessful unless the attacker can persuade the site administrator to 
sign the file.

This extra level of security should be sufficient to counter such an attack.

Tony






More information about the Lazarus mailing list