Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure installation archives #5036

Closed
anonymous-matomo-user opened this issue Apr 23, 2014 · 1 comment
Closed

Insecure installation archives #5036

anonymous-matomo-user opened this issue Apr 23, 2014 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Long term

Comments

@anonymous-matomo-user
Copy link

Unfortunately it's impossible for a user of Piwik to determine if he/she downloaded a legitimate and checked release of Piwik. The Piwik Website provides neither checksums nor signatures for the offered installation archives. Additionally installation archives have no clear names, which would enable the user to see the version of the release.

I know that Piwik takes security seriously and in my opinion this is a real issue.

If the releases are distributed in zip archives, the countermeasures could be:

  • Before a release is published, the code could be copied to a standalone system and the integrity of the code could be tested in a documented way (for example by reviewing the code changes since the previous release).
  • Afterwards the code could be archived and signed on that system.

Keywords: security gpg signing release packaging
@mattab
Copy link
Member

mattab commented Apr 27, 2014

Thanks for the security suggestion. See duplicate ticket: #1757 Code signing

@anonymous-matomo-user anonymous-matomo-user added this to the 2.x - The Great Piwik 2.x Backlog milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Milestone
Long term
Development

No branches or pull requests
2 participants
@mattab @anonymous-matomo-user