[Frugalware-bugs] [FBTS] #3332: [SEC] Authentication Needed

Frugalware noreply at frugalware.org
Fri Aug 29 03:23:37 CEST 2008


THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Richard (richard) 

Attached to Project - Frugalware
Summary - [SEC] Authentication Needed
Task Type - Feature Request
Category - Applications
Status - Unconfirmed
Assigned To - 
Operating System - i686
Severity - High
Priority - Normal
Reported Version - -current
Due in Version - Undecided
Due Date - Undecided
Details - I have submitted a feature request for GPG authentication of packages by the package manager before.  However, after reading this article...

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

I believe the issue of authentication should be upgraded to a security related feature.  Also, I would like to suggest using the https protocol for logins into both the Frugalware forums and the bug-tracking system.  I believe the design flaw mentioned in the article could cause a serious man in the middle style attack upon the package management system if the package system doesn't bother to verify that downloaded packages are official.  Likewise, such a attack may also target the Frugalware forums and the bug-tracking system - potentially compromising passwords.

In short, my recommendations would be to...
1.  Add some sort of authentication to the Frugalware package management system for downloaded content.  (Perhaps GPG signatures.)
2.  Use https for logins to both the Frugalware forums and the bug-tracking system.


More information can be found at the following URL:
http://bugs.frugalware.org/task/3332

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.


More information about the Frugalware-bugs mailing list