I also had to change the tmp directory in the global.php due to security reasons.

We should have the option to configure this directory in the config.ini.php

thanks for the great feedback and summary of important security topics 👍

In Admin -> Diagnostic -> System Check, piwik begs for me to make piwik.js writable. It even says "In the future even some core features might not work as expected".

good point. Created #10855 for this.

Upgrades from earlier versions cannot be completed if config/config.ini.php is not writable

Yes writable config is needed by design. (mostly because we store list of activated plugins in config) typically you make file writable while update is running then make it read only again. Is there maybe other issues with this?

The tmp dir is required to be writable, and is placed in the piwik directory served by the webserver (like everything else). We should have the option to keep this directory somewhere else, such as /tmp/piwik

created #10854

Usage of the auto-update and marketplace features are encouraged, even though they are insecure by design. The web server user should not have access to install software.

Yes by design we encourage to use the Marketplace because of the huge value it provides. We also however make it easy to disable the Marketplace, simply deactivate the marketplace plugin (in Piwik 2.17.0 where marketplace was vastly improved!)

As far as I can tell, there is no mailing list for security announcements, only an RSS feed for new versions

you can signup here: http://madmimi.com/signups/139168/join - we need to show it on the website, covered in #7063 (comment)

When downloading a new version, there is no checksum to make sure the file is complete and has not been altered.

for this we use PGP signature. it's documented in http://piwik.org/blog/2014/11/verify-signatures-piwik-packages/ and we'll show this in download page soon #10687

Feel free to open new issues or post further feedback here 👍

Upgrades from earlier versions cannot be completed if config/config.ini.php is not writable

Yes writable config is needed by design. (mostly because we store list of activated plugins in config) typically you make file writable while update is running then make it read only again. Is there maybe other issues with this?

Sorry, I can't accept this as a solution. The config file is a PHP file, so any code in it will be executed. This means that the application should not be able to write to it, because if it can write to the file, it can inject code.
Instead, give the administrator a list of the changes that are needed in the config file during the update, and let me do the changes myself.
The whole point of a config file is for the administrator to tell the application how it should behave, not for the application to configure itself however it wants. I want to keep version control of all configuration changes and be able to understand why each change was made.

Instead, give the administrator a list of the changes that are needed in the config file during the update, and let me do the changes myself.

that's a nice idea! it could technically be done in the future. Feel free to create a separate issue (as the scope would be smaller than this current issue) 👍

Hello,

I am also looking similar kind of requirement where I don't want to give write permission to config.ini.php file I want to manage through system administrators update the file rather than browser update the configuration file.Please let me know any solution to achieve this. Currently it's blocker.