[Geany-Users] signature files for plugins, etc?

Matthew Brush mbrush at xxxxx
Sat Oct 12 23:20:32 UTC 2019 

On 2019-10-12 1:26 p.m., bendov at gmx.com wrote:
>>   a concrete example of a file, plugin or otherwise that you
>> are referring to?
> Yes - "like CSS tag files" https://wiki.geany.org/tags/start#css_tags
> 
> It doesn't really matter which file, plugin, etc.  Just that they're not
> included in the dev's final build of Geany, which is then signed by the
> devs.
> 

It does matter, for the reason you said, that's why I asked for 
clarification :)

> Any 3rd party file, plugin... included in the Geany package is checked
> against the developer(s) signature of the entire final package -
> included plugins & all.
> 
> None of the other plugins, tag files, etc., for Geany have any assurance
> they haven't been tampered with since uploaded to Geany servers.
> 

That's correct, nothing outside of official releases/repositories are 
reviewed or signed by members of Geany team.

> That's not to say the individual developers of plugins & 3rd party
> "stuff" for Geany intentionally uploaded malicious content.
> 
> Apparently, almost any site, business or network of any gov't in the
> world CAN be hacked & sometimes files are replaced with tampered copies
> - because it happens all the time.
> 

Nevermind hacking, the wiki is open to anyone who signs up :)

> That's part, but not all, of why most Linux distros caution against
> getting apps or files from sources besides their repos.  I know it'd be
> an undertaking for any app's team to check out every 3rd party file
> that's available for an app like Geany.  I don't pretend to have all the
> answers.
> 

Well most files are simply non-executable data files. Short of having 
malicious content specifically crafted to trigger bugs in 
Geany/GTK+/GLib/etc. code, they can't do much. Obviously if you install 
a filetype file which lists external commands for Geany to run, they 
could contain whatever is listed there, be it `rm -rf /` or whatever 
malicious thing, but the files/commands are easy to examine either 
directly or through the GUI.

> Mozilla, among others, started making addon devs sign their .xpi
> packages for a reason - though they don't use PGP signatures. Mozilla
> reviews addons before making them available on AMO.  Sure, Mozilla has
> LOTS of cash.  Again, I don't have all the answers.
> 

Heh, and then they let their certificates expire[0] and break the 
Internet for all it's users :)

But more seriously, this is one of the reasons the Geany-Plugins[1] 
project exists; to provide a curated, tested, maintained set of plugins 
that should be OK to use. It's theoretically possible for bad code to 
get into the plugins, just like in any project with multiple 
contributors, but it's presumably less likely than some random plugin 
from the Internet.

Regards,
Matthew Brush

[0]: 
https://hacks.mozilla.org/2019/05/technical-details-on-the-recent-firefox-add-on-outage/
[1]: https://github.com/geany/geany-plugins

More information about the Users mailing list