[ocaml-platform] Secure OPAM?

Gabriel Scherer gabriel.scherer at gmail.com
Sat Jan 17 15:19:46 GMT 2015


There is an excellent piece at LWN.net (do consider subscribing to
this source of quality technical news) about a recent discussion in
the Python community on how to "secure" their package manager
  http://lwn.net/SubscriberLink/629426/bf933f7acea8466c/

The article discusses in particular a library called TUF (The Update
Framework) that aims to help solve the problem in a
package-manager-agnostic way.
  http://theupdateframework.com/
(this page has some other interesting links, eg. to a similar
discussion in the Ruby community about RubyGems)

Is there a reference point to a discussion of the security aspects of
the OPAM package manager? What I found so far is this 2013 issue by
Edwin Török on signing packages:
  https://github.com/ocaml/opam/issues/423

As far as I know, the current status is that OPAM checks downloaded
packages against the checksum in opam-repository, so it protects
against an attacker changing upstream releases, assuming the
opam-repository remains trusted and there is no man-in-the-middle
(MITM) attack when the user downloads the metadata -- afaik it uses
only HTTP currently.


More information about the Platform mailing list