Whitelist extension (was: Re: [Typo3-typo3org] Comments on the mirroring concept)
Robert Lemke
robert at typo3.org
Sat Mar 12 23:23:07 CET 2005
Hi folks,
On Thursday 10 March 2005 10:21, Juergen Egeling wrote:
> I do not see a technical problem here, but I see a legal problem. *If* we
> try to give security by telling people we have done this or that to ensure
> that a specific EXT is ok, we than have to do it every time a new version
> somes out.
So this is something we have to discuss in the extrev team, at least it's not
related to the repository itself.
What I aimed for is a very simple thing: After downloading an extension, the
EM tries to connect to the master repository / the super mirrors and checks
the MD5. If it is okay it does not say anything. If integrety fails, a
warning message appears and also if the check failed due to some timeout or
similar.
I think that's easy to achieve technically but improves security without any
side-effects. This method could only fail if someone hacks the master
repository and in that case corrupting the md5 checksum would the least
problem ...
--
Robert Lemke
Assessor - TYPO3 Association
http://association.typo3.org
More information about the TYPO3-team-typo3org
mailing list