Tiny Core Base > Release Candidate Testing

Core v6.2rc2

<< < (5/8) > >>

gerald_clark:
One can always add a check of the md5sum files to bootsync.sh.
However, once access is obtained, there is no security.

bmarkus:

--- Quote from: nitram on April 29, 2015, 03:17:42 AM ---Thanks for the response. Your point is understood but to me this issue is an oversight. Just wanted to report a potential exploit. If i knew how to program i would attempt a patch, reporting any optional folder .tcz extensions not associated with an md5.txt file, but i can't so up to you/developers whether it's worthy of addressing.

--- End quote ---

I do not see why and how a missing md5 is imposing a security risk.

gerald_clark:
Core is a toolkit, not a distro.
You can add a simple script to md5sum the whole optional directory at boot.
If you can't, why are you using core instead of a distro targeted for the end user?

beerstein:
Tested install again. When I installed leafpad the wbar also disappeared. Then I brought back the wbar using the control panel and tcWbarConf --Apply.
Then installed Firefox and wbar was gone again. After installing several more extensions all of the sudden the wbar did not disappear after an install. Strange?
BTW: I was using CorePlus in cloud mode.

coreplayer2:

--- Quote from: nitram on April 29, 2015, 03:17:42 AM ---Given the choice, i typically prefer security over convenience. Probably not a big concern for the average home user, but maybe for kiosk operators, etc. Flagging missing md5.txt files wouldn't need to compromise the functionality of the .tcz extension, just ensure the end user is notified of a potential issue.

--- End quote ---
This is deliberate. At a minimum it's a means to prevent auto-update and accidental removal of modded or personal extensions.   I do have a solution and have been using it for a year or more, just need to submit it  (wasn't sure if anyone would be interested..).

Navigation

[0] Message Index

[#] Next page

[*] Previous page