[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
|
> Please talk to security experts about threat modelling and mitigation.
Please read about the "SolarWinds" attack [1] to see that signing helps
for nothing as long as your "trusted system" it tampered :-)
But I think that's far out of topic here... signing of content is simply
not a concern of that new feature as consuming artifacts from P2 sites
does not guarantee signing either.
[1] https://www.solarwinds.com/de/securityadvisory
Am 21.01.21 um 16:24 schrieb Gunnar Wagenknecht:
On Jan 21, 2021, at 16:12, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
If someone has access to your machine to tamper any file your almost lost and signatures does not help. A signature only provides you with some kind of trust of the origin and was not tampered on transit.
The claims in this statement apply to a narrow scenario and simply don't hold true in the broader case. Please talk to security experts about threat modelling and mitigation.
Signed content is a fine way of verifying that content has not been tempered with. Any re-signing requires either access to the original signing key (which Eclipse.org webmasters protect) or injecting a new authority into a trust system, which *if* done properly, requires a different level of file system access than the process with write access to plugin jar files would have.
-Gunnar
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user