(sorry Sam, forgot to Cc list) Thank you for disclosing these vulnerabilities! Responsible disclosure helps everyone.
Sam Tobin-Hochstadt <sa...@cs.indiana.edu> writes: > * Check any packages you have uploaded to the site, to ensure that no > unexpected changes have been made to them. Is package signing on Racket's roadmap? The only way to protect against these kinds of attacks is to have clients verify package signatures. Every major Linux package manager now does this. I think it's at least worth seriously considering. One question: If an attacker was able to access the server under the privileges of the package website, what's stopping them from just silently uploading a change and then removing that entry from the "Package Changes" list? -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.