On Sat, Jan 2, 2016 at 12:47 AM, Michael Gardner <gardne...@gmail.com> wrote: > >> On Jan 1, 2016, at 21:31, Toby Crawley <t...@tcrawley.org> wrote: >> >> But if we had a regular >> process that crawled all of the mirrors and the canonical repo to >> verify that the checksums every artifact are identical, this could >> actually improve security, since we could detect if any checksum >> had been changed > > I would caution against this approach. An attacker could easily target > specific organizations, serving compromised artifacts only to particular IP > ranges. A periodic verification process wouldn't detect this[1], and might > lend a false sense of security that lulls people into putting off real > security measures. > > [1] Unless run by every organization that uses lein, and even then it still > might not catch anything if the attackers are clever. >
That's a good point. Would you trust this approach more if the mirrors were all managed by the clojars staff instead of by community members? You currently trust the clojars staff to not act maliciously, and to detect an intrusion by a third party against clojars.org. - Toby -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
