You are not logged in.

#26 2019-04-08 21:47:10

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 21,925
Website

Re: should Unicode chars in IDN of PKGBUILD's source URLs be highlighted?

Allan, that is a not an AUR package.  If that was in the source array of an AUR package, the proposed changes would not protect against it as the submitter would just hand-edit the .SRCINFO.  This is why I was asking all along for a real example of an AUR package where the proposed changes would help.

All I'm seeing is hypothetical and far-fetched examples for which the proposed changes wouldn't even provide protection.

Last edited by Trilby (2019-04-08 21:48:38)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#27 2019-04-08 21:51:21

Allan
Member
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,869
Website

Re: should Unicode chars in IDN of PKGBUILD's source URLs be highlighted?

It is not an AUR package, but demonstrates it could be easily achieved. 

The editing of .SRCINFO is a good point, but I still lock my door even though the lock can be picked.   Security is like an ogre is like an onion.  It has layers.

Offline

#28 2019-04-09 00:12:04

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 21,925
Website

Re: should Unicode chars in IDN of PKGBUILD's source URLs be highlighted?

Yes, but this is not like locking a door - it's like puting Scotch tape across the seem in the door while leaving the door unlocked.

Do not take ineffective steps when there are much easier effective steps.

But it seems my arguments are going nowhere here.  By all means anyone can feel free to change the aurweb interface to give a false sense of security, er, I mean, to highlight these IDNs for those people who will not even take the much simpler step of looking at the PKGBUILD themselves before they build it.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#29 2019-04-09 09:38:18

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 7,146

Re: should Unicode chars in IDN of PKGBUILD's source URLs be highlighted?

I'd be happy to setup unicode highlighting in my fav editors (Krusader built-in editor and nano), but have no idea how to do that.

Maybe a standalone tool that converts a textfile to punycode so it becomes easily visible ?


Multi-init booting with apg Openrc and systemd coexisting
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#30 2019-04-09 12:13:02

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 21,925
Website

Re: should Unicode chars in IDN of PKGBUILD's source URLs be highlighted?

I have no idea what the Krusader built-in editor is, but a google search for syntax highlighting in nano produced immediate answers.  Of course, countless other tools would suffice as well: grep, sed, awk, tr.  The point is, if you review the PKGBUILD on your machine before you build it, you'll actually be able to catch any of these yet-to-be-demonstrated attacks.  But if you add punycode or syntax highlighting to aurweb, it will not be effective in preventing this (still never-yet-observed) attack.

Last edited by Trilby (2019-04-09 12:14:50)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

Board footer

Powered by FluxBB