-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linux packages don't download via HTTPS #231
Comments
Posted an issue at openSUSE: openSUSE/software-o-o#45 |
@pmconrad I'm not referring to the iframe web page; I'm talking about the package files. E.g. it asks me to run:
Which means I'm totally vulnerable to a MITM attack when downloading that .repo file, which could be used to inject malware. |
I can sign the repo's GPG key with my own if that's any help. (But I can't upload to signed key to OBS, so we'd have to publish it elsewhere.) |
@pmconrad If you could upload a signed copy of the .repo files (and whatever equivalent exists for non-Fedora distros) to namecoin.org, that would probably work okay (and would be reasonably user-friendly for end users). @phelixbtc could probably help facilitate uploading them. I would love to solve the privacy issue too, but it's less critical (particularly since privacy-conscious users are probably using Tor, which partially solves this issue). |
Sorry, this dropped off my radar. Thanks for the bump. mQGiBEzT5vQRBAChC66Ww4PMVR/EQ/z6h1R4ChmMO+1B6GNJRP5AaoCO1rERilP4 On RPM-based systems, the key should be imported with |
The Linux packages on OBS don't download via HTTPS; nor do the associated keys. This means that a passive attacker can easily see who is downloading Namecoin, and an active attacker can easily inject malware into downloads.
I know this is a temporary issue since Namecoin Core will use reproducible builds... but it's still a problem for now.
The text was updated successfully, but these errors were encountered: