Checking for new version of a program
Delaney, Timothy
tdelaney at avaya.com
Tue Aug 21 20:23:01 EDT 2001
> Interesting.. I think maybe I should put a warning in the README that
> enabling auto-update may be a security risk if my server is
> cracked, so if
> the system has secrets on it, user must disable the feature. With
> signatures, even, private signature also can be compromised.. but then
> again, even if there is no auto-update, someone can just
> crack the server
> and replace tarball with a trojan (and then post an update to
> freshmeat
> for good measure!).
Well, no - you don't have the *server* apply the signature - you have that
already applied to the file to be downloaded. Otherwise any file would
appear to be a valid download. Sure - someone could crack your server and
put a trojan on there - but since it isn't signed properly, your app would
refuse it.
Tim Delaney
More information about the Python-list
mailing list