Insecure installation archives #5036
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
duplicate
For issues that already existed in our issue tracker and were reported previously.
Task
Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Unfortunately it's impossible for a user of Piwik to determine if he/she downloaded a legitimate and checked release of Piwik. The Piwik Website provides neither checksums nor signatures for the offered installation archives. Additionally installation archives have no clear names, which would enable the user to see the version of the release.
I know that Piwik takes security seriously and in my opinion this is a real issue.
If the releases are distributed in zip archives, the countermeasures could be:
Keywords: security gpg signing release packaging
The text was updated successfully, but these errors were encountered: