OMV installScript procedure insecure - package with SHA256 available?

1st Official Post

    It makes no sense to hash a downloaded image for security, if later while running the installScript, I pull thousands of OMV files to a local drive without hasing them. Right?


    Is there any possibility to download all of that what might get pulled? Say a big package and running the script locally then, w/o commands like apt-get or wget?

    To me, the pulling process seems to be very weak. Too easy to inject "something" into the files while flying through the net.

    Having downloaded everything in a package, it'd be easy to hash the whole once before installing. Just to be sure.

    And as a benefit, I may install another pi in my private net in a year or so and know(!), that everything needed I already have in my archive.


    Since 10 days I now own a Pi3+ and get to know Linux a bit. And I'm sure to move on with that stuff :)

  • SWDLD

    Changed the title of the thread from “OMV installScript procedure insecure - package with SHA254 available?” to “OMV installScript procedure insecure - package with SHA256 available?”.
    • Official Post
    Quote from SWDLD

    It makes no sense to hash a downloaded image for security, if later while running the installScript, I pull thousands of OMV files to a local drive without hasing them. Right?

    No. You need to understand how apt works. The install script adds repos and their signed key. The packages are signed against this key. The Release file is signed and the package list has sha256 sums in the Release file. This is how apt works and how debian does it as well.


    Quote from SWDLD

    Is there any possibility to download all of that what might get pulled? Say a big package and running the script locally then, w/o commands like apt-get or wget?

    I have no plans to do that because it is a maintenance nightmare and not needed in my opinion.

    Quote from SWDLD

    To me, the pulling process seems to be very weak. Too easy to inject "something" into the files while flying through the net.

    How? Can you hack github or the omv package repo? Can you then hack the gpg key to get the correct signature on the packages? I guess if you can, you shouldn't use OMV.


    Quote from SWDLD

    Since 10 days I now own a Pi3+ and get to know Linux a bit

    You are new to Linux and you think apt (which has been around for 20+ years) is not secure??

    omv 6.3.4-1 Shaitan | 64 bit | 6.1 proxmox kernel

    plugins :: omvextrasorg 6.1.1 | kvm 6.2.9 | compose 6.6.1 | cputemp 6.1.3 | mergerfs 6.3.5 | zfs 6.0.12


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Like 1

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login