-
In PR #20548, it looks like the Teracopy install URL has been changed from the official one ( This feels like a major security risk, where anyone can submit a PR to change the install URL of a package, and any user that runs a |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
Beta Was this translation helpful? Give feedback.
-
Thanks for the detailed response! I'm still new to winget and didn't realize that there was going to be a logical separation between the MS store and community repos, and that the MS Store would be the default with community being opt-in. That alleviates most of my concerns for layman users. I would still love to see an indication/warning that the installer source has changed if you're upgrading an already-installed package (at minimum when there's domain changes), and show the URL of the new installer. If (as you indicated) you're manually checking hashes against the application's official source then this is less of an issue, but that seems like manual validation would become unmanageable once there are thousands of apps in the community repo (though maybe I'm wrong about that 🙂). As a side note regarding automated scanners/antivirus, as great as they are, we shouldn't be relying on them completely to catch anything malicious. It's easy to think of a number of malicious actions that automated systems wouldn't catch. E.g. a Teracopy where every copy/move action is redirected to the delete action. Or an Irfanview that adds a watermark to every image you save and deletes the original. Again, if the manual validation of the hashes from the official sources continues then this isn't a problem, I'm just concerned what would happen if/when those manual hash validations stop. |
Beta Was this translation helpful? Give feedback.
-
I think a hash alone is not sufficient for security. Perhaps a parity file would be better. |
Beta Was this translation helpful? Give feedback.
https://www.codesector.com/files/teracopy.exe
is a temporary redirect tohttps://codesector.s3.us-west-000.backblazeb2.com/teracopy.exe
, so your concerns aboutbut it could be changed at any point by whoever controls the bucket.
shouldn't be a huge issue here as the only person that has control over that bucket right now is the CodeSector developers, and no one else is allowed. If a malicious person took over the bucket, the hash would likely change and then no one can install it until the hash is fixed in the package where it has to go through automatic and manual validation again as well as automated and manual virus checks, and then the database will be updated with the new changes.If…