Bitcoin Forum
December 04, 2016, 06:34:20 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Patch Signing with GPG  (Read 653 times)
lulzplzkthx
Sr. Member
****
Offline Offline

Activity: 322



View Profile WWW
May 16, 2011, 08:08:42 PM
 #1

Hello,

I work on an open-source CMS with a few other developers, and we believe an issue with current CMS's is that even when security issues are patched, the vulnerable script still lives out in the wild. To fix this we plan to incorporate (optional) auto-updates. It would connect to the central server, find the patch, download and install it.

I, however, noticed an issue: If someone gets into the main server, they can release a patch to open up all of the CMS's using our code. My proposed solution was to use GPG signatures to verify patch integrity. The issue is that the GnuPG installation for PHP is more difficult than your average webmaster's skill set. We were looking for either a solution to get around this, or a similar thing to GnuPG for us (three developers minimum) to sign the patches.

Thanks,
lulzplzkthx

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!