wbond
commented
12 years ago Thanks for raising this issue!
You are definitely correct in saying that it is time for me to set up the package list to be served over HTTPS. Does python not ship with a CA cert bundle that I can reasonably verify the SSL certs via urllib/urllib2?
In terms of generating hashes for the packages, I'm not sure that will be possible without completely gutting the whole infrastructure that package control is built upon. Unless I am missing something, GitHub and BitBucket to not provide the hashes for the zip downloads. The only way I could provide hashes for verification is if I have my channel server download every package from GitHub and BitBucket and generate the hashes.
In terms of signing the channel file - this would be trivial, except that the Linux version of Sublime Text does not ship with the ssl module, leaving almost 20% of users out in the dark. I could attempt to fork off CLI openssl process to do some public key crypto instead, but there is still the very real possibility of bricking Package Control for almost 20k users.
I'd prefer to try and roll out the HTTPS default channel URL with the CA cert for my SSL cert, assuming that Python doesn't necessarily have access to CA certs. I could then provide a URL in the channel that would have the CA certs for BitBucket and GitHub so that downloads from those sites could be verified. This would allow me to continue running package control off of the current infrastructure without having to find different hosting to handle the load of independently downloading and generating hashes.
I understand your desire to turn off automatic updating right away, but I'm gonna try to swiftly get the SSL stuff setup instead. Once I turn off automatic updating, there will be not automatic way to turn it back on, which will in essence leave 100k developers with a package manager that supposedly automatically updates packages, but does not.
On a related note, this does not in any way prevent malicious code from getting onto developers computers. The package infrastructure does not involve a formal review process, so it would be possible for any developer who has a package on GitHub or BitBucket to ship a benign package one day, and the next ship python code to wipe someone's hard drive. I don't think there is going to be any reasonable way to prevent this possibility, other than telling users this is possible. They can then take the risks into consideration and determine if they think they trust the developer who created the package.
If you, or anyone else has more thoughts, or see issues with my current plan of action, please do let me know! I'd like to get this resolved very soon.
glyph
jotbe
Please add some cryptographic checking on the validity of updated packages.
Right now it's pretty trivial to attack anyone using Package Control: just DNS spoof sublime.wbond.net at some coffee shop where a sublime developer goes, and serve up "updates" to all possible packages that contain malware. Sublime will then instantly load whatever arbitrary python code the attacker want to send, and execute it locally, as soon as our unfortunate developer opens their laptop. Good bye credit cards, et cetera.
Both the update listing and the packages themselves should be signed in some way. Since most packages are on GitHub, a regular old HTTPS certificate check everywhere, while not ideal, would be a good start. The curl and wget downloaders will sometimes verify a cert, but that depends on local configuration; the urllib one won't. But none of that matters if the URLs are HTTP, so those should be disallowed during an automatic update.
Until they are, please disable auto_upgrade by default so that upgrading packages is an explicit decision made when the developer at least feels that their network connection is unlikely to be pwned.