There is an excellent piece at LWN.net (do consider subscribing to this source of quality technical news) about a recent discussion in the Python community on how to "secure" their package manager http://lwn.net/SubscriberLink/629426/bf933f7acea8466c/
The article discusses in particular a library called TUF (The Update Framework) that aims to help solve the problem in a package-manager-agnostic way. http://theupdateframework.com/ (this page has some other interesting links, eg. to a similar discussion in the Ruby community about RubyGems) Is there a reference point to a discussion of the security aspects of the OPAM package manager? What I found so far is this 2013 issue by Edwin Török on signing packages: https://github.com/ocaml/opam/issues/423 As far as I know, the current status is that OPAM checks downloaded packages against the checksum in opam-repository, so it protects against an attacker changing upstream releases, assuming the opam-repository remains trusted and there is no man-in-the-middle (MITM) attack when the user downloads the metadata -- afaik it uses only HTTP currently. _______________________________________________ Platform mailing list [email protected] http://lists.ocaml.org/listinfo/platform
