issue #02738yorik wrote: ↑Wed Jun 20, 2018 2:22 pmOne way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
It's interesting that you mentioned that since it's related to something I'm gonna mention in my next GSOC post. Signed releases would be a nice security benefit for everyone, and they're one of the things Debian's linting tool lintian complains about:yorik wrote: ↑Wed Jun 20, 2018 2:22 pmOne way to prevent this, which we should actually start to do, is to always publish a md5 hash code of the files we add to the releases page. So people can always check that these files are the actual ones we placed there, and that nobody manipulated them afterwards.
Code: Select all
P: freecad source: debian-watch-does-not-check-gpg-signature N: N: This watch file does not include a means to verify the upstream tarball N: using cryptographic signature. N: N: If upstream distributions provide such signatures, please use the N: pgpsigurlmangle options in this watch file's opts= to generate the URL N: of an upstream GPG signature. This signature is automatically downloaded N: and verified against a keyring stored in N: debian/upstream/signing-key.asc. N: N: Of course, not all upstreams provide such signatures, but you could N: request them as a way of verifying that no third party has modified the N: code against their wishes after the release. Projects such as N: phpmyadmin, unrealircd, and proftpd have suffered from this kind of N: attack. N: N: Refer to the uscan(1) manual page for details. N: N: Severity: pedantic, Certainty: certain N: N: Check: watch-file, Type: source N:
Wireshark is also a powerful tool for those sorts of investigations, and luckily it's just a sudo apt install wireshark away...Kunda1 wrote: ↑Wed Jun 20, 2018 11:26 pmThere are 3rd party programs that do this (if I understood you correctly) for example
on OSX https://www.obdev.at/products/littlesnitch/index.html
I know I can buy something. My comments are focused on the computer, the internet connection and human nature. The OS is the best place to monitor because then everyone has access and they will get used to it, and look at it every so often, they might see something. That's the only way security works, someone has to look because it is a changing thing. The hackers are only going to get better and the Microsofts will protect us, doubt it.There are 3rd party programs that do this (if I understood you correctly) for example