[wp-trac] [WordPress Trac] #25052: Updates and downloads should be signed

WordPress Trac noreply at wordpress.org
Wed Sep 11 04:39:46 UTC 2013


#25052: Updates and downloads should be signed
-----------------------------+------------------
 Reporter:  samuelsidler     |       Owner:
     Type:  enhancement      |      Status:  new
 Priority:  normal           |   Milestone:  3.7
Component:  Upgrade/Install  |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  2nd-opinion      |
-----------------------------+------------------

Comment (by rmccue):

 I agree with bpetty and dd32's assessment, but I'd like to note:

 Replying to [comment:6 bpetty]:
 > I've considered bundling another 3rd party library, namely
 [http://phpseclib.sourceforge.net/ phpseclib], which provides a pure-PHP
 X.509 and PKCS!#1 implementation (while being license and PHP version
 requirements compatible), however, it really is a huge library, and I'm
 also opposed to adding yet another custom maintained 3rd party library
 that requires being stripped down, files renamed, and some minor code
 changes like most of the other bundled libs - especially on a library
 whose sole purpose is security and encryption.

 dd32 has expressed interest in bundling the library to improve SSH/SFTP
 support as part of integrating [http://wordpress.org/plugins/ssh-sftp-
 updater-support/ the existing plugin] into core. Whether that happens is a
 separate issue, but worth noting that it wouldn't just be for this
 feature.

 +1 for dot-org signatures now for core at least, plugins once the
 architecture supports it. Having it means we can start to integrate it
 into core as a separate issue.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25052#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list