There are detached sig files for Geany releases, but do any plugins or tag files (like CSS tag files) have sig files to verify them?
It's great to verify the main program, but one tampered extra file could be painful.
I doubt any Geany developers would have time to review every 3rd party submitted file, similar to Mozilla Addons. Thanks.
On 2019-10-11 6:43 p.m., bendov@gmx.com wrote:
There are detached sig files for Geany releases, but do any plugins or tag files (like CSS tag files) have sig files to verify them?
It's great to verify the main program, but one tampered extra file could be painful.
I doubt any Geany developers would have time to review every 3rd party submitted file, similar to Mozilla Addons. Thanks.
Can you give a concrete example of a file, plugin or otherwise that you are referring to?
Regards, Matthew Brush
On Sat, 12 Oct 2019 at 12:29, Matthew Brush mbrush@codebrainz.ca wrote:
On 2019-10-11 6:43 p.m., bendov@gmx.com wrote:
There are detached sig files for Geany releases, but do any plugins or tag files (like CSS tag files) have sig files to verify them?
The Geany plugins collection releases have sigs I believe.
It's great to verify the main program, but one tampered extra file could be painful.
I doubt any Geany developers would have time to review every 3rd party submitted file, similar to Mozilla Addons.
But random files on the wiki or elsewhere are not covered.
Cheers Lex
Thanks.
Can you give a concrete example of a file, plugin or otherwise that you are referring to?
Regards, Matthew Brush _______________________________________________ Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users
a concrete example of a file, plugin or otherwise that you are referring to?
Yes - "like CSS tag files" https://wiki.geany.org/tags/start#css_tags
It doesn't really matter which file, plugin, etc. Just that they're not included in the dev's final build of Geany, which is then signed by the devs.
Any 3rd party file, plugin... included in the Geany package is checked against the developer(s) signature of the entire final package - included plugins & all.
None of the other plugins, tag files, etc., for Geany have any assurance they haven't been tampered with since uploaded to Geany servers.
That's not to say the individual developers of plugins & 3rd party "stuff" for Geany intentionally uploaded malicious content.
Apparently, almost any site, business or network of any gov't in the world CAN be hacked & sometimes files are replaced with tampered copies - because it happens all the time.
That's part, but not all, of why most Linux distros caution against getting apps or files from sources besides their repos. I know it'd be an undertaking for any app's team to check out every 3rd party file that's available for an app like Geany. I don't pretend to have all the answers.
Mozilla, among others, started making addon devs sign their .xpi packages for a reason - though they don't use PGP signatures. Mozilla reviews addons before making them available on AMO. Sure, Mozilla has LOTS of cash. Again, I don't have all the answers.
On 10/11/19 9:29 PM, Matthew Brush wrote:
a concrete example of a file, plugin or otherwise that you are referring to?
On 2019-10-12 1:26 p.m., bendov@gmx.com wrote:
a concrete example of a file, plugin or otherwise that you are referring to?
Yes - "like CSS tag files" https://wiki.geany.org/tags/start#css_tags
It doesn't really matter which file, plugin, etc. Just that they're not included in the dev's final build of Geany, which is then signed by the devs.
It does matter, for the reason you said, that's why I asked for clarification :)
Any 3rd party file, plugin... included in the Geany package is checked against the developer(s) signature of the entire final package - included plugins & all.
None of the other plugins, tag files, etc., for Geany have any assurance they haven't been tampered with since uploaded to Geany servers.
That's correct, nothing outside of official releases/repositories are reviewed or signed by members of Geany team.
That's not to say the individual developers of plugins & 3rd party "stuff" for Geany intentionally uploaded malicious content.
Apparently, almost any site, business or network of any gov't in the world CAN be hacked & sometimes files are replaced with tampered copies
- because it happens all the time.
Nevermind hacking, the wiki is open to anyone who signs up :)
That's part, but not all, of why most Linux distros caution against getting apps or files from sources besides their repos. I know it'd be an undertaking for any app's team to check out every 3rd party file that's available for an app like Geany. I don't pretend to have all the answers.
Well most files are simply non-executable data files. Short of having malicious content specifically crafted to trigger bugs in Geany/GTK+/GLib/etc. code, they can't do much. Obviously if you install a filetype file which lists external commands for Geany to run, they could contain whatever is listed there, be it `rm -rf /` or whatever malicious thing, but the files/commands are easy to examine either directly or through the GUI.
Mozilla, among others, started making addon devs sign their .xpi packages for a reason - though they don't use PGP signatures. Mozilla reviews addons before making them available on AMO. Sure, Mozilla has LOTS of cash. Again, I don't have all the answers.
Heh, and then they let their certificates expire[0] and break the Internet for all it's users :)
But more seriously, this is one of the reasons the Geany-Plugins[1] project exists; to provide a curated, tested, maintained set of plugins that should be OK to use. It's theoretically possible for bad code to get into the plugins, just like in any project with multiple contributors, but it's presumably less likely than some random plugin from the Internet.
Regards, Matthew Brush
[0]: https://hacks.mozilla.org/2019/05/technical-details-on-the-recent-firefox-ad... [1]: https://github.com/geany/geany-plugins
It doesn't really matter which file, plugin, etc. Just that they're not included in the dev's final build of Geany, which is then signed by the devs.
You said it yourself, "they are not included in a build of Geany" that answers the whole question.
None of the other plugins, tag files, etc., for Geany have any assurance they haven't been tampered with since uploaded to Geany servers.
That's correct, nothing outside of official releases/repositories are reviewed or signed by members of Geany team.
But if anyone reports egregious harm then as the wiki is backed by a VCS so the damaging post can be reverted.
That's not to say the individual developers of plugins & 3rd party "stuff" for Geany intentionally uploaded malicious content.
Apparently, almost any site, business or network of any gov't in the world CAN be hacked & sometimes files are replaced with tampered copies
- because it happens all the time.
Nevermind hacking, the wiki is open to anyone who signs up :)
And all posts are recorded against the username.
That's part, but not all, of why most Linux distros caution against getting apps or files from sources besides their repos. I know it'd be an undertaking for any app's team to check out every 3rd party file that's available for an app like Geany. I don't pretend to have all the answers.
Well most files are simply non-executable data files. Short of having malicious content specifically crafted to trigger bugs in Geany/GTK+/GLib/etc. code, they can't do much. Obviously if you install a filetype file which lists external commands for Geany to run, they could contain whatever is listed there, be it `rm -rf /` or whatever malicious thing, but the files/commands are easy to examine either directly or through the GUI.
Yes, like everything found on the internet, check it!!!
Geany is an IDE, that means its intended users are programmers so they are expected to have more knowledge than random users, Mozilla is a browser used mostly by computer illiterate users and quite rightly takes more steps to ensure its users safety.
Mozilla, among others, started making addon devs sign their .xpi packages for a reason - though they don't use PGP signatures. Mozilla reviews addons before making them available on AMO. Sure, Mozilla has LOTS of cash. Again, I don't have all the answers.
Heh, and then they let their certificates expire[0] and break the Internet for all it's users :)
But more seriously, this is one of the reasons the Geany-Plugins[1] project exists; to provide a curated, tested, maintained set of plugins that should be OK to use. It's theoretically possible for bad code to get into the plugins, just like in any project with multiple contributors, but it's presumably less likely than some random plugin from the Internet.
And the Geany plugins are available in most distros repos, albeit often somewhat behind the latest.
Cheers Lex
Regards, Matthew Brush
Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users