[wp-trac] [WordPress Trac] #18577: Updates and downloads should be signed or delivered securely
WordPress Trac
noreply at wordpress.org
Tue Jul 30 12:09:00 UTC 2013
#18577: Updates and downloads should be signed or delivered securely
-----------------------------+------------------------------
Reporter: wplid | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion |
-----------------------------+------------------------------
Comment (by rmccue):
Replying to [comment:5 dd32]:
> Other than using SSL, what options do we have to sign/validate that the
packages downloaded from WordPress.org are legit?
If we really care, we can use asymmetrical cryptography and distribute a
public key. This is possible in PHP userland with something like
[http://phpseclib.sourceforge.net/rsa/examples.html#sign,sign2 phpseclib]
and means we can avoid rolling our own for the most part. (This also falls
back to native support if it exists.)
This does mean partially reinventing the wheel (this is what SSL is for,
after all), but at least it gives us compatibility. The question is
whether we care enough.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18577#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list