Frugalware

Please read the http://frugalware.org/docs/bugs page if you are new to bugreporting!
Tasklist

FS#3332 - pacman gpg support, https support for forums/bugs

Attached to Project: Frugalware
Opened by Richard (richard) - Friday, 29 August 2008, 03:23 GMT+1
Last edited by crazy (bugs) - Friday, 05 September 2008, 15:25 GMT+1
Task Type Feature Request
Category Applications
Status Assigned
Assigned To Krisztian VASAS (ironiq)
Miklos Vajna (vmiklos)
Operating System i686
Severity Medium
Priority Normal
Reported Version -current
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

I have submitted a feature request for GPG authentication of packages by the package manager before. However, after reading this article...

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

I believe the issue of authentication should be upgraded to a security related feature. Also, I would like to suggest using the https protocol for logins into both the Frugalware forums and the bug-tracking system. I believe the design flaw mentioned in the article could cause a serious man in the middle style attack upon the package management system if the package system doesn't bother to verify that downloaded packages are official. Likewise, such a attack may also target the Frugalware forums and the bug-tracking system - potentially compromising passwords.

In short, my recommendations would be to...
1. Add some sort of authentication to the Frugalware package management system for downloaded content. (Perhaps GPG signatures.)
2. Use https for logins to both the Frugalware forums and the bug-tracking system.
This task depends upon

Comment by Miklos Vajna (vmiklos) - Friday, 29 August 2008, 03:37 GMT+1
ok, as i said in #3228, i think singing the package databases (so the sha1 hashes of the fpm packages) makes sense, and i plan to implement that feature.

that is nice because that way we can use http securely for package updates.

https support for bts/forums is a different question.

both of them is hosted on 3rd-party servers (ie the servers are not fully dedicated to frugalware), so the question if https is supported there or not is not 100% depends on us.

though, it may worth a try.

two side notes:

1) please don't prefix this task with "[SEC]", that is meant for security problems in given packages, which is not true in this case.

2) https support for forums is not really a problem, it's just a discussion forums, no official announcements are made there, etc. (it is nice, but it isn't a sec. issue at all.)
Comment by Miklos Vajna (vmiklos) - Friday, 29 August 2008, 03:37 GMT+1
assign to bts m8r as well and fix up title

Loading...