Open ypid opened 8 years ago
ypid
commented
7 years ago BTW. The fix which has been merged into https://github.com/nextcloud/vm could also be used here. The build script still downloads both the packages and OpenPGP key via HTTP without even checking the fingerprint. Ref: https://github.com/nextcloud/vm/pull/19
enoch85
commented
7 years ago @ypid Have you seen this? https://github.com/nextcloud/vm/pull/52
Does this has to do with anything in this issue?
Please create a PR, this is not my expertise area.
enoch85
commented
7 years ago Oh, sorry, thought we were on the Nextcloud VM repo now. Just realized that this is the ownCloud repo. Anyway, please make a PR. :)
Thanks!
ypid
commented
7 years ago I don’t use either of your VMs. I just wanted to draw your attention back at this issue which makes your build process vulnerable. Please feel encouraged to get familiar with this area and I will be happy to review your PR and give you feedback.
enoch85
commented
7 years ago cc @Kawohl
See https://github.com/jchaney/owncloud/pull/12
Vulnerable lines: https://github.com/owncloud/vm/blob/cf6aa232b4e6731bddf00dfd804070cd461eeeb2/vagrant/oc9ce/build-ubuntu-vm.sh#L136
Downloading the PGP key via HTTP and then downloading the packages from the same origin does not make any sense!