[wp-trac] [WordPress Trac] #18577: Updates and downloads should be signed or delivered securely
WordPress Trac
noreply at wordpress.org
Tue Jul 30 12:03:22 UTC 2013
#18577: Updates and downloads should be signed or delivered securely
-----------------------------+------------------------------
Reporter: wplid | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion |
-----------------------------+------------------------------
Comment (by dd32):
Other than using SSL, what options do we have to sign/validate that the
packages downloaded from WordPress.org are legit?
Realistically, we cannot guarantee that 100% of Servers out there have
cURL installed, and have a valid SSL cert chain locally which cURL can
reference, the amount of users that affects is significant enough that we
simply cannot disable updates for them.
If there is an alternative which we can use to securely verify packages
after downloading, it'll make HTTP vs HTTPS not be an issue and we'll be
able to trust it.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18577#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list