[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-users] chicken-install package integrity/signing

From: Jason Valencia
Subject: [Chicken-users] chicken-install package integrity/signing
Date: Sat, 24 Nov 2018 17:56:52 +0000

As far as I can tell, chicken-install (as of 5.0.0 and before):
- Does not download packages over HTTPS, and
- Does no package signing

Because of this, it would be trivial for anyone sitting between my
computer and my mirror (i.e. when using public Wi-Fi or other untrusted
networks) to tamper with the code I receive. This is bad as a malicious
actor could potentially run code on my machine, or install code that
will be run later, possibly even as root.

I think it would be good to sign packages, and refuse to install a
package if it has an invalid signature. HTTPS would also be nice, but is
not necessary. I believe this is what Debian does by default; packages
are signed and served over regular HTTP.

The setup.defaults file containing a list of mirrors could contain a
fingerprint, maybe per-repository so it would be possible to have an
in-house repository that is signed with a different key, or unsigned.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]