danmcd
commented
9 years ago Not accepting this for '014, but keeping it as fodder for a future release.
Open bensummers opened 9 years ago
danmcd
commented
9 years ago Not accepting this for '014, but keeping it as fodder for a future release.
bensummers
commented
9 years ago I agree it may be too big a step for the forthcoming release. But I have hope for the future. :-)
lotheac
commented
9 years ago +1 on this change, 'verify' is worse than useless because it can provide a false sense of security. Although if require-signatures is made the default for new publishers, will that break third party repos unless they specify ignore?
danmcd
commented
9 years ago It will break 3rd-party repos unless they specify ignore. This is why I haven't pulled this in yet.
Set the default signature-policy to require-signatures because software update mechanisms need to be secure.
Remove the verify option because it provides zero security, can't implement policy, and the name is incredibly misleading. Any attacker who can modify the repo, either by MITM or access to the repo server, just needs to remove the signature from the manifest to be able alter a package.
Users currently using 'verify' should be honest about it and use 'ignore'.