Search found 30 matches
- Wed Mar 10, 2010 10:59 pm
- Forum: [3.x][Archive] RFCs
- Topic: [RFC] Secure Automatic Upgrades
- Replies: 21
- Views: 48864
Re: [RFC] Secure Automatic Upgrades
The package managers like those being used by Linux distributions basically work the same way and most people use those on a daily basis. But to run my package manager I become root, by default I don't have the appropriate access credentials to overwrite all the binaries on my system. You'd have to...
- Wed Mar 10, 2010 6:42 pm
- Forum: [3.x][Archive] RFCs
- Topic: [RFC] Secure Automatic Upgrades
- Replies: 21
- Views: 48864
Re: [RFC] Secure Automatic Upgrades
Doesn't look like it:bantu wrote:Slightly off-topic, but does Wordpress actually sign their packages for the auto updater right now?
http://wordpress.org/support/topic/338010
- Wed Mar 10, 2010 3:56 am
- Forum: [3.x][Archive] RFCs
- Topic: [RFC] Secure Automatic Upgrades
- Replies: 21
- Views: 48864
Re: [RFC] Secure Automatic Upgrades
The person packaging the release would, after prepping the packages on their local machine, take a hash of the package (hash_file) and encrypt the hash with their locally stored private key. The packages and their respective signatures would then be uploaded to phpbb.com. The private key would never...
- Wed Mar 10, 2010 3:13 am
- Forum: [3.x][Archive] RFCs
- Topic: [RFC] Secure Automatic Upgrades
- Replies: 21
- Views: 48864
Re: [RFC] Secure Automatic Upgrades
The only thing they'd be able to change would be the signature. The public keys would be included in each phpBB install and although downloads made while the hacked website was up could have altered public keys, already deployed installations would not. The private key, presumably, wouldn't be store...
- Tue Mar 09, 2010 8:28 pm
- Forum: [3.x][Archive] RFCs
- Topic: [RFC] Secure Automatic Upgrades
- Replies: 21
- Views: 48864
Re: [RFC] Secure Automatic Upgrades
Nice catch! I've updated the RFC to say SHA256 but any algorithm supported by hash() should work. phpseclib doesn't support all the algorithms that hash() does but I figure I'll update that at some point. Whirlpool was designed by the people who did AES. It's best cryptanalysis (according to it's wi...
- Tue Mar 09, 2010 5:12 pm
- Forum: [3.x][Archive] RFCs
- Topic: [RFC] Secure Automatic Upgrades
- Replies: 21
- Views: 48864
Re: [RFC] Secure Automatic Upgrades
What if the signature checking code contains a bug and does not work correctly? What if there is a bug allowing signature checking to be bypassed? What if the signature itself happens to be weak (see Debian ssl vulnerability)? The signature checking code is fairly well vetted. You can verify at lea...
- Tue Mar 09, 2010 5:09 am
- Forum: [3.x][Archive] RFCs
- Topic: [RFC] Secure Automatic Upgrades
- Replies: 21
- Views: 48864
[RFC] Secure Automatic Upgrades
If you've ever used Wordpress, you're probably aware of how, when a new version is released, Wordpress can automatically download and install the update for you. As convenient as that is, it does present a small problem. In particular, if phpbb.com or wordpress.com or whatever were hacked, an attack...
- Mon Jun 30, 2008 11:02 pm
- Forum: Announcements and News
- Topic: EasyMOD v0.4.0 released (for phpBB 2.0.x)
- Replies: 0
- Views: 32363
EasyMOD v0.4.0 released (for phpBB 2.0.x)
EasyMOD v0.4.0 We're very pleased to release EasyMOD version 0.4.0 Introduction EasyMOD is an automatic MOD installer. It does in seconds what used to be the laborious and time-consuming task of manually editing files. EM will install EasyMOD Compliant (EMC) MODs and will try to install all other M...
- Sat Sep 30, 2006 11:55 pm
- Forum: Installing MODs with EasyMOD
- Topic: Nightrider
- Replies: 37
- Views: 36281
Re: Nightrider
And if EM was broken, I could understand the attempts to kill it. But EM is not the problem. If Ptirhiik or any other MOD author decided to change AFTER, ADD statements to ADD AFTER, should EM be blamed for not recognizing the command??? Ptirhiik isn't doing that, though. As far as I know, your bas...
- Sat Sep 30, 2006 10:12 pm
- Forum: Installing MODs with EasyMOD
- Topic: Nightrider
- Replies: 37
- Views: 36281
Re: Nightrider
I really don't think this statement could get much clearer. Either the Author's MOD installs correctly using EM or it does not get approved. I see no exceptions or ambiguities here in this statement... Look at the line you underlined: if their MOD fails to [correctly] install with EM on a virgin ph...