-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrity protection for downloaded RPMs #21
Comments
https is now available, we will have to enable it by default in chum meta-package |
Just released repositories definitions (package
should result in update of that package and Chum repositories should switch to https. As for signing, not yet there and I don't think anyone is working on it now. |
If I'm not mistaken, only Jolla can help here since they need to have a publicly visible [email protected] address and public key AND set up the rpm signing. There isn't really anything we can do, is there? |
When installing from chum, it downloads the packages via http and does not check any GPG signatures (because there are none).
This means that, right now, any one who can hijack an HTTP connection can make you install & execute arbitrary code (which we don't want, duh).
I see some possible (quick) fixes:
Apparently this is what Jolla does right now for their own repos. No GPG signatures as well but at least some transport protection.
On repo.merproject.org, TLS support appears to be available but the configuration seems to be broken...
What are the plans on this?
The first option might be the most preferable right now, but the latter could be the best in the long term.
The text was updated successfully, but these errors were encountered: