[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19479: Package manager vulnerable to replay attacks
|
From: |
Stefan Monnier |
|
Subject: |
bug#19479: Package manager vulnerable to replay attacks |
|
Date: |
Wed, 25 Nov 2020 19:43:29 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
> I have just pushed the branch scratch/package-security with proper
> support for timestamps, as discussed below. More details are in the
> commit messages and the proposed documentation changes. Once this is
> merged, I hope to work on adding support for this to both GNU ELPA and
> NonGNU ELPA.
Do we need this hash-checksum, really?
AFAICT, I think if we want to avoid replay attacks we need indeed
a monotone "counter" (e.g. a timestamp) on the `archive-contents` and
then a way to verify that the tarballs are what they claim to be.
We can already verify that they are what they claim to be since the
tarball includes the version number inside the `<pkg>-pkg.el` file.
So, I think all we need is to verify the contents of `<pkg>-pkg.el`
after unpacking a tarball, to make sure it is indeed the package and
version its name claimed to be. This check would be welcome in any case
to detect packaging errors.
Stefan