#240 selfupdate using SSL


The package description files are currently updated via 'fink selfupdate' using either CVS or rsync. Both mechanisms send unencrypted traffic that is not protected against tampering. An attacker in a privileged network position (read: man in the middle) can alter package description files while in transit and thereby install malware into your system as you compile and install a package from the malicious description.

A solution would be to use an SSL-protected protocol during 'fink selfupdate', SVN over HTTPS is a possible choice.

Another solution would be to have the package description files signed by their respective maintainer or by the fink team, but that might bring along key management and bootstrapping problems.


  • Alexander Hansen

    SVN over https would be a fine choice if:

    1) We had a svn repository set up, which we don't.
    2) There were a svn selfupdate method in the fink code--somebody does have one of these, but since there's not a backend that supports it, it hasn't been added yet.

    The current plan is to move our package descriptions over to github, which provides an HTTPS-based option. However, since most of our maintainers and core developers don't have much experience with git, we're trying to bring everybody up to speed.

  • Alexander Hansen


    We currently have automatic support for the use of a http proxy under the cvs selfupdate method.

  • Michael Roitzsch

    The git solution sounds like a good way to go, I'll be looking forward to that. Feel free to close this tracker item as you see fit.

  • Alexander Hansen

    Yup. I'll do that. Thanks for moving it to github. At some point we'll probably switch the links on the homepage to do that automatically.

  • Alexander Hansen

    • status: open --> closed-later

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks