Hi, and thanks for the quick response.
I was unaware of the licensing issue - I don't really have an opinion on
the licencing problem, but more the technical issue of unsigned code
execution. Whilst you/upstream control the resource, freecad doesn't
confirm that the download actually comes from said resource - python
will not check this.
An attacker can intercept the https initial handshake and impersonate
the resource, as no signatures are checked. This is not hard if they
control the network (eg public wifi/fake access point).
I think there are several possible solutions, in varying orders of
difficulty:
* Hard-code a given .py git identifier, then check the downloads SHA1 or
SHA1 _and_ MD5 after the download. Hard-code the matching SHA1 in the
freecad sources. Convert the url stream into a binary stream and pass it
to python's SHA1 module, then check the result. The downside is of
course, this is not upgradeable.
* Implement certificate checking in the freecad source, by locating and
finding the debian certificates, parsing them and checking the
provider's validity (pretty hard? I'm no python guru, but I understand
the next python release will include certificate validation). Upgrades
remain, but more complex.
Slightly less serious suggestions :
* Change freecad to use a different dxf backend (eg librecad's internal
(BSD))
* Chance licence ;)
Thanks!
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
