Are there security issues that would prevent the automatic fetching of the md5 hash using drupal_http_request? The release node could be fetched and parsed. The md5 hash could then be fetched automatically instead of manually.

Comments

jabapyth’s picture

yes. Read this whole post: #292920: Checksum Iframe. specifically comments #8 and #9

greggles’s picture

Component: Code » Documentation
Category: feature » task

Maybe we should document this on the project page so people now about it. It should also give people more confidence that the module is built securely.

jabapyth’s picture

o ya! maybe like....this?

Do I really have to insert the md5sum? Yes. Again, this is by design. One detail of the system is that all plugins are verified using the md5sum before they are installed. It would be much more insecure to have a tool that can automatically install new files without even making sure they are genuine.

its in the FAQ section

greggles’s picture

The project page has so much text and so much bold text that individual important items (like this) get lost.

greggles’s picture

And I do apologize - I assumed that it hadn't changed in a few weeks so I didn't check it. Obviously I should have checked the page again before commenting.

jabapyth’s picture

Status: Active » Closed (won't fix)
Anonymous’s picture

Fixed in latest commit.

Anonymous’s picture

Status: Closed (won't fix) » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.