#240 selfupdate using SSL

closed-later
nobody
None
5
2011-11-28
2011-11-28
Michael Roitzsch
No

The package description files are currently updated via 'fink selfupdate' using either CVS or rsync. Both mechanisms send unencrypted traffic that is not protected against tampering. An attacker in a privileged network position (read: man in the middle) can alter package description files while in transit and thereby install malware into your system as you compile and install a package from the malicious description.

A solution would be to use an SSL-protected protocol during 'fink selfupdate', SVN over HTTPS is a possible choice.

Another solution would be to have the package description files signed by their respective maintainer or by the fink team, but that might bring along key management and bootstrapping problems.

Discussion

  • SVN over https would be a fine choice if:

    1) We had a svn repository set up, which we don't.
    2) There were a svn selfupdate method in the fink code--somebody does have one of these, but since there's not a backend that supports it, it hasn't been added yet.

    The current plan is to move our package descriptions over to github, which provides an HTTPS-based option. However, since most of our maintainers and core developers don't have much experience with git, we're trying to bring everybody up to speed.

     
  • Also:

    We currently have automatic support for the use of a http proxy under the cvs selfupdate method.

     
  • The git solution sounds like a good way to go, I'll be looking forward to that. Feel free to close this tracker item as you see fit.

     
  • Yup. I'll do that. Thanks for moving it to github. At some point we'll probably switch the links on the homepage to do that automatically.

     
    • status: open --> closed-later