Re: [Openvas-discuss] [security - MiTM] piping http content to shell and downloading repo keys via HTTP

Tue, 11 Apr 2017 01:30:54 -0700 


Am 11.04.2017 um 00:44 schrieb Dawid Bałut:

ehh, I was simplifying to talk practically about the context of this 
particular case and how it can be improved at lowest cost. Of course I 
see the value of gpg signing and WOT in general.
So without going in further discussion and creating more offtopic - how 
does the whole discussion answers the questions I raised in my initial 
email?
Is there anything you're interested to do about it, or you just going to 
throw weird accusations at me, like I'd be the person who had put those 
silly piped http guidelines on openvas website?



what should i do about it as "ordianry user" which was never so stupid 
follow wrong advises blindly because when i operate a server it's my 
natural job not doing copy&paste from somewhere without consider what i 
am doing and looking at the length of this script the answer is "it's 
impossible that i understand completly what it does and so i grab the 
release-rpm and if that's not enough the whole source is not worth to be 
used"



2017-04-11 0:23 GMT+02:00 Reindl Harald <[email protected] 
<mailto:[email protected]>>:




    Am 10.04.2017 um 22:44 schrieb Dawid Bałut:

        If for shell script you have only one carrier which is the root
        trusted origin, you're eliminating the need for packages signing


    nonsense

    once you have the GPG keys you are even able to reject malformed
    packages from the "root trusted origin" in case it was compromised

    https://en.wikipedia.org/wiki/Web_of_trust
    <https://en.wikipedia.org/wiki/Web_of_trust>

    if you can't see the value of GPG signing where you have *multiple*
    sources to verify the signers key versus a random script with a hash
    placed on the same site and so both compromised especially with a
    idiotic pipe to a root shell where you don#t do *any* verification i
    can't help you

    _______________________________________________
    Openvas-discuss mailing list
    [email protected]
    <mailto:[email protected]>
    https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
    <https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss>




--

Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
m: +43 676 40 221 40
p: +43 1 595 3999 33
http://www.thelounge.net/
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss





















					Reply via email to