[wp-trac] [WordPress Trac] #25052: Updates and downloads should be signed

WordPress Trac noreply at wordpress.org
Wed Sep 11 04:33:58 UTC 2013 

#25052: Updates and downloads should be signed
-----------------------------+------------------
 Reporter:  samuelsidler     |       Owner:
     Type:  enhancement      |      Status:  new
 Priority:  normal           |   Milestone:  3.7
Component:  Upgrade/Install  |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  2nd-opinion      |
-----------------------------+------------------

Comment (by dd32):

 Replying to [comment:5 samuelsidler]:
 > I was under the impression that package signing would be done to account
 for installs that fall back to HTTP when SSL is broken on their servers.
 I'm not sure if that's even possible however – if SSL is broken, verifying
 a package likely wouldn't work either.

 Correct, if we release with a bundled CA (#25007) then any system that can
 use OpenSSL should "just work" for HTTPS communication, any host that
 doesn't have OpenSSL most likely wouldn't be able to verify a package
 signature either (Unless we packaged phpseclib or used a non-SSL based
 method of signing)

 Replying to [comment:6 bpetty]:
 > If we aren't lazy (and this would take significantly more work to
 implement, both on our part, and on plugin/theme authors), we implement
 package signing through the authors themselves in the same way that
 Android apps, OSX apps, and many other software distribution channels
 handle package/application signing.

 To be blunt, I don't think this is something that we'll be implementing at
 present (user initiated signing), it's a lot of extra work for "minimal
 benefit".
 Peoples credentials falling into a malicious user's hands is probably not
 something that should be fixed through code either, instead, 2 factor
 authentication (for svn, that'd likely require svn+ssh://) or email-
 confirmation-of-releases would be more appropriate.

 For non-WordPress.org hosted items, package signing could be much more
 useful, however, is something that the plugin handling that could add.
 If we supported multiple repositories, which were only partially trusted,
 package signing would be much more crucial, so as to prevent one
 repository claiming to have an updated version for something which it
 doesn't have the authority to offer - Something that I believe Linux /
 Pear / Composer / Android probably has to deal with.

 So in conclusion: I think #25007 ( optionally with #25252 ) is going to
 provide us enough of a security boost for 3.7.
 I also think that we should still look into making a package signature
 available for downloads somehow, even if we don't utilise them within
 WordPress quite yet.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25052#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list