Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Happy to discuss your concerns. PCP 3.10 should be available on Ubuntu's official repo pretty soon too.


His concerns seem plain to me. Unauthenticated channels for software distribution or software installation instructions are bad.

The techblog isn't using SSL, and the git pull url for PCP is using the git protocol which is also unauthenticated, rather than the authenticated https transport (ssh is only an option when user accounts make sense).

Someone's at a conference and follows the link over public wifi. They get the same page but with "here's how to get PCP: ftp evil.io or git clone git://git.evil.io/pcp" Even if the webpage were ssl-enabled so that an attacker can't rewrite the pcp.io links, an attacker or evil network operator could MITM git.pcp.io or ftp.pcp.io. (FTP?!)

Being in Ubuntu's repo doesn't make it safe if Ubuntu's maintainers have no (semi-)trustworthy way of getting the code.


Ubuntu's maintainers can check the MD5SUM file on ftp.pcp.io:

  ftp://ftp.pcp.io/projects/pcp/download/MD5SUM
The project seems to be hosted by Red Hat these days.


FTP is just as unauthenticated as everything else above, so having MD5SUMs available over FTP doesn't really change the situation.


Any chance you could provide standard Debian builds rather than Ubuntu specific?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: