Re: Extension security?

From: "Jasper St. Pierre" <jstpierre mecheye net>
To: Pauli Virtanen <pav iki fi>
Cc: gnome-shell-list gnome org
Subject: Re: Extension security?
Date: Fri, 16 Dec 2011 21:04:59 -0500

If the website is hacked, the attacker has the GPG key anyway, so they
can sign a rogue extension. Unless I'm not understanding how the
website is supposed to automatically sign extensions after they've
been approved.

On Fri, Dec 16, 2011 at 8:14 PM, Pauli Virtanen <pav iki fi> wrote:
> 16.12.2011 20:44, Olav Vitters kirjoitti:
>
>> On Fri, Dec 16, 2011 at 08:38:03AM -0800, Jonathan Wilkes wrote:
>>>
>>> So when someone hacks the extension website and changes the code for
>>> "Popular Extension #1" to log the user's keystrokes, how
>>>
>>> does my Gnome Shell know to reject that rogue extension when I try to
>>> install it?
>>
>>
>> If the website is hacked, the GPG signature would still be added.
>
>
> What does this mean? The client as it is in Gnome 3.2.1 does not seem to
> contain any code checking GPG signatures --- so if the site is hacked, enjoy
> your keylogger?
>
> --
> Pauli Virtanen
>
>
> _______________________________________________
> gnome-shell-list mailing list
> gnome-shell-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-shell-list



-- 
  Jasper

Follow-Ups:
- Re: Extension security?
  - From: Pauli Virtanen

References:
- RE: Extension security?
  - From: Jonathan Wilkes
- Re: Extension security?
  - From: Pauli Virtanen
- Re: Extension security?
  - From: Jonathan Wilkes
- Re: Extension security?
  - From: Olav Vitters
- Re: Extension security?
  - From: Pauli Virtanen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]