Bitcoin Forum
October 23, 2019, 04:58:59 PM *
News: Help collect the most notable posts made over the last 10 years.
   Home   Help Search Login Register More  
Pages: [1]
Author Topic: Patch Signing with GPG  (Read 766 times)
Sr. Member
Offline Offline

Activity: 322
Merit: 250

View Profile WWW
May 16, 2011, 08:08:42 PM


I work on an open-source CMS with a few other developers, and we believe an issue with current CMS's is that even when security issues are patched, the vulnerable script still lives out in the wild. To fix this we plan to incorporate (optional) auto-updates. It would connect to the central server, find the patch, download and install it.

I, however, noticed an issue: If someone gets into the main server, they can release a patch to open up all of the CMS's using our code. My proposed solution was to use GPG signatures to verify patch integrity. The issue is that the GnuPG installation for PHP is more difficult than your average webmaster's skill set. We were looking for either a solution to get around this, or a similar thing to GnuPG for us (three developers minimum) to sign the patches.


Pages: [1]
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!