[Lazarus] An online package manager
Tony Whyman
tony.whyman at mccallumwhyman.com
Mon Aug 10 17:33:40 CEST 2015
On 10/08/15 16:15, Michael Van Canneyt wrote:
>> 4. All packages in the repository should be signed (e.g. using a GPG
>> user key). Only packages signed using a known key should be allowed
>> to install.
>
> I don't see the point in that.
An online repository is potentially vulnerable to:
- DoS Attacks
- Man in the middle attacks
- Unauthorised modification of repository data
DoS is probably out of scope and man in the middle could be countered by
demanding https only. However, I don't think I would like to claim that
any website is invulnerable to unauthorised modification. Hence why I
propose that a digital signature is available for each file in the
repository. The basic idea is that the signing key is only available to
an authorised user (probably 3DES encrypted) and thus even if an
attacker succeeds in uploading a malicious file, the attack is not
unsuccessful unless the attacker can persuade the site administrator to
sign the file.
This extra level of security should be sufficient to counter such an attack.
Tony
More information about the Lazarus
mailing list