Collaborate Disseminate
Does the flatpak package manager in Fedora-based systems require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verified be… Continue reading Does flatpak enforce cryptographic authentication and integrity validation by default for all packages? (fedora)
I just noticed a strange loop device that was added to my machine today.
It is mounted under /run/media/<user>/CENA_X86FREE_EN-US_DV9 and seems to contain Windows files, probably a Windows installer with a bit more than 4.1GB used sp… Continue reading Loop device added at package installation – is it a security threat?
Does the yum package manager in CentOS/RHEL-based systems require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verified b… Continue reading Does yum enforce cryptographic authentication and integrity validation by default for all packages? (CentOS, RHEL)
Does rust’s cargo package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with step… Continue reading Does rust’s Cargo provide cryptographic authentication and integrity validation?
I am well aware that the best approach is to update any dependency, no matter whether it is a development dependency or a runtime/production dependency.
But from a research prospective, I want to know whether a vulnerability in development… Continue reading Are devDependencies in Node.js exploitable?
I consider WEB of trust as a failed initiative (search for SKS key poisoning mass occurred in 2019).
PGP is used to sign software in source (commits / tags in Git/Mercirual) & binary (compiled artifacts) forms.
Currently when I downloa… Continue reading Cross signing practice for PGP package signing keys?
It has been brought up in the past that package managers such as pip are vulnerable to man in the middle attacks (see https://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/). This is due to all pack… Continue reading Possibility of Man-in-the-middle Attack on Homebrew
Does the built-in dnf package manager in Fedora-based systems require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verifi… Continue reading Does dnf enforce cryptographic authentication and integrity validation by default for all packages? (fedora linux)
Does the built-in pacman package manager in Arch-based systems require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verif… Continue reading Does pacman enforce cryptographic authentication and integrity validation by default for all packages? (arch linux)
Does the snapd package manager in Debian-based systems require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verified beca… Continue reading Does snapd enforce cryptographic authentication and integrity validation by default for all packages? (debian, ubuntu)