[Geany-Users] signature files for plugins, etc?

bendov at gmx.com bendov at xxxxx
Sat Oct 12 20:26:38 UTC 2019


>   a concrete example of a file, plugin or otherwise that you
> are referring to?
Yes - "like CSS tag files" https://wiki.geany.org/tags/start#css_tags

It doesn't really matter which file, plugin, etc.  Just that they're not
included in the dev's final build of Geany, which is then signed by the
devs.

Any 3rd party file, plugin... included in the Geany package is checked
against the developer(s) signature of the entire final package -
included plugins & all.

None of the other plugins, tag files, etc., for Geany have any assurance
they haven't been tampered with since uploaded to Geany servers.

That's not to say the individual developers of plugins & 3rd party
"stuff" for Geany intentionally uploaded malicious content.

Apparently, almost any site, business or network of any gov't in the
world CAN be hacked & sometimes files are replaced with tampered copies
- because it happens all the time.

That's part, but not all, of why most Linux distros caution against
getting apps or files from sources besides their repos.  I know it'd be
an undertaking for any app's team to check out every 3rd party file
that's available for an app like Geany.  I don't pretend to have all the
answers.

Mozilla, among others, started making addon devs sign their .xpi
packages for a reason - though they don't use PGP signatures. Mozilla
reviews addons before making them available on AMO.  Sure, Mozilla has
LOTS of cash.  Again, I don't have all the answers.

On 10/11/19 9:29 PM, Matthew Brush wrote:
>   a concrete example of a file, plugin or otherwise that you
> are referring to?



More information about the Users mailing list