Around 200 packages [0] include upstream scripts that download code via
(non-secure) http, then run it without an integrity check.
This is obviously a security hole (network MITM => code execution), but
not necessarily one that is opened by normal use of the package. (E.g.
fetch-dependencies-
https isn´t any more secure than http as long as you do not have a
verifiably trustworthy server certificate that you can check for. As we
know the certification authority system is totally broken. It is a bug
if a build script tries to download something. It must work offline as
well. I do not
On 01/05/2020 20:31, Elmar Stellnberger wrote:
https isn´t any more secure than http as long as you do not have a
verifiably trustworthy server certificate that you can check for. As we
know the certification authority system is totally broken.
Imperfect yes, but still better than nothing.
It
On Fri, May 1, 2020 at 8:18 PM Rebecca N. Palmer wrote:
> This is already policy (and enforced by blocking network access) for
> official Debian package builds: dependencies must be installed by the
> package manager, not the build script.
Correction: the debian.org buildds do not at this time bl
On Fri, May 1, 2020 at 7:12 PM Rebecca N. Palmer wrote:
> Around 200 packages [0] include upstream scripts that download code via
> (non-secure) http, then run it without an integrity check.
A lot of these appear to be in documentation, dependency installation
scripts (such as in docker) or conti
5 matches
Mail list logo
