Collaborate Disseminate
Does Firefox’s built-in installer for addons/extensions validate its payload’s authentication and integrity for all files it downloads before actually installing them?
I avoid in-app updates because, more often than not, developers do not … Continue reading Does Firefox’s addon/extension installer provide cryptographic authentication and integrity validation?
I have a Node.js app which has a lot of npm-dependencies, running on Linux (Centos) machine.
When Node starts, the script has access to the files outside its directory (as least by default), so malicious npm-package could traverse a direct… Continue reading Restrict node.js filesystem access
I have a server that runs Ubuntu Server 20.04 LTS. This version of nginx provided by the official repository is 1.18.0, which in turn is vulnerable to CVE-2021-23017. However, the changelog says that the version provided by the Ubuntu repo… Continue reading How to check if a certain vulnerability has been fixed with a backport? [migrated]
Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are some important questions to include in … Continue reading How to vet third-party developer packages
Another question (Is it possible to block non-PyPI requests during pip install?) asked about locking down non-PyPI pip installs for security reasons. This doesn’t deal with the problem of malicious packages within PyPI itself. So, I woul… Continue reading How do you lock down PyPI access?
flatkill has been floating around for a while, and honestly it was the reason I was personally resistant to using flatpak packages for a while.
I’m wondering though, most of the article is written from the perspective that you are installi… Continue reading what are the risk associated with installing flatpaks at user level
flatkill has been floating around for a while, and honestly it was the reason I was personally resistant to using flatpak packages for a while.
I’m wondering though, most of the article is written from the perspective that you are installi… Continue reading what are the risk associated with installing flatpaks at user level
Does the flatpak package manager in Fedora-based systems require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verified be… Continue reading Does flatpak enforce cryptographic authentication and integrity validation by default for all packages? (fedora)
I just noticed a strange loop device that was added to my machine today.
It is mounted under /run/media/<user>/CENA_X86FREE_EN-US_DV9 and seems to contain Windows files, probably a Windows installer with a bit more than 4.1GB used sp… Continue reading Loop device added at package installation – is it a security threat?
Does the yum package manager in CentOS/RHEL-based systems require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verified b… Continue reading Does yum enforce cryptographic authentication and integrity validation by default for all packages? (CentOS, RHEL)