-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 07 July 2002 20:35:20, Jean-Luc Cooke wrote: > Yes, if you look at the script, there are GPG signature performed. > > example: > http://jlcooke.ca/go?2.4.18/CA | less > > Ideally, I'd rather have an SSL tunnel to the script...but that depends on > the server. Yes, I see :) But there are still some things that come to my mind as far as security is concerned: * Placing "KERNKEY=0x517D0F0E" inside the script downloaded from the web might be a potential security risk as this could quite easily be transparently replaced by a different key id I have in my keyring (or that is available via the keyserver)[1]. I think this might be avoided by reading the key ID from a local file that has to be created by the user first (?) * There is no check whether the key used for verification is trusted/has been signed by the user. * The script is being piped directly from the web to a root shell. This looks dangerous to me, even with SSL in use, as long as the SSL certificate doesn't undergo verification. I currently can't find any option for lynx or w3m that does this, but it's very possible I'm just blind. And there's one thing I stumbled across when reading the code - maybe you should start with a section like this: TRUEBIN = `which true` W3MBIN = `which w3m` LYNXBIN = `which lynx` etc., just as you did with the gpg binary. All just IMHO, of course. Greetings, David [1] which would require replacing the signatures as well, but that is possible either. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://david-guembel.de/webpgp.html iD8DBQE9KMcdcWkuqYXk/uwRAorDAJ9AU2krpQC61Rg30BC1rDsZ7/78EgCgqzho HNBRJJ0sFWTDfeFzfA/4hVs= =2QuW -----END PGP SIGNATURE----- - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
