[tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 17 13:24:28 UTC 2014
#12642: Can Network Attacker Downgrade Dependency Install Security?
---------------------------+---------------------
Reporter: earthrise | Owner: hellais
Type: defect | Status: new
Priority: normal | Milestone:
Component: Ooni | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
---------------------------+---------------------
Comment (by hellais):
The user must make sure that the pip command does not return any errors.
Failing to do so can lead to a compromise.
If you are using that procedure in a script you should check for the
return code of `pip`. If the return code is != 0 then it should hard fail
and not continue to the python setup.py step.
Is there something that should be done to address this issue? Should the
documentation for the README.md of ooni-backend be more clear?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12642#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list