On Tue, Sep 22, 2015 at 9:04 AM Michael Wilber <[email protected]> wrote:
> Thank you for disclosing these vulnerabilities! Responsible disclosure > helps everyone. > > Sam Tobin-Hochstadt <[email protected]> writes: > > * Check any packages you have uploaded to the site, to ensure that no > > unexpected changes have been made to them. > > Is package signing on Racket's roadmap? The only way to protect against > these kinds of attacks is to have clients verify package signatures. > Every major Linux package manager now does this. I think it's at least > worth seriously considering. > This is definitely worth considering. I know people have thought about it, but I don't think it's on anyone's near-term roadmap that I know of -- but maybe someone's working on it an planning to speak up. One challenge here is that the majority of the packages on the site are pointers to GitHub, which update continuously. That means we could sign the GitHub reference, but not the package contents, unlike in a Linux distribution where they sign the actual package you download.That might still be worth it, though. > One question: If an attacker was able to access the server under the > privileges of the package website, what's stopping them from just > silently uploading a change and then removing that entry from the > "Package Changes" list? > That is certainly a possibility, and it's why we can't rule out a compromise even though we have no evidence for one. We recommend that you look at the actual contents of your package entries on the server, and make sure that they're correct. Sam -- You received this message because you are subscribed to the Google Groups "Racket Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/CAK%3DHD%2BY3TTJMnJ%3D5B3LjvE-BeS3WXqgpiE3iePLmF8d_nVGiew%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
