search

nex3 / marmalade

Git mirror of http://code.google.com/p/marmalade/
http://marmalade-repo.org
GNU General Public License v3.0
24 stars 14 forks source link

marmalade-repo.org appears to have neither SSL/TLS nor package checksums #8

Open isislovecruft opened 10 years ago

isislovecruft commented 10 years ago

Correct me if I missed the checksums, but I couldn't find them anywhere.

As such, package downloads from marmalade-repo.org are trivially MITMable, giving arbitrary code execution on the client machine.

Ideally, you additionally want some manner for package maintainers/authors to upload signatures which are, at minimum, verified on the marmalade-repo.org server. Bonus points if signiture verificiation is done on the client side as well. Otherwise compromise of a maintainer's account means that a modified package could be uploaded and served to client. Compromising any maintainer's account shouldn't be difficult, as there is no SSL/TLS, and so passwords are sent in the clear.

nicferrier commented 9 years ago

this is dead now. marmalade is now run by me and the repo is http://github.com/nicferrier/elmarmalade

We still have no cert and no sigs but I am slowly working on those things.