Seb-Solon
commented
9 years ago +1. signature and https are always great to have.
Open leoluk opened 9 years ago
Seb-Solon
commented
9 years ago +1. signature and https are always great to have.
shinken installdownloads unsigned code over an unencrypted connection (https://github.com/naparuba/shinken/blob/e636db2c1768c38ffcfda0f019b1bb789d4fdbf0/cli/shinkenio/cli.py#L325).This allows an attacker to compromise a Shinken host by adding malicious code to a downloaded package.
Enabling HTTPS for shinken.io would mitigate this - a proper fix would be the implementation of package signing.