-
Hello, and thanks for the incredible library. // https://github.com/duckdb/duckdb/blob/v0.6.0/src/main/extension/extension_install.cpp#L104
string url_template = "http://extensions.duckdb.org/${REVISION}/${PLATFORM}/${NAME}.duckdb_extension.gz"; But HTTP connections are vulnerable to Man in the Middle Attacks (MITM). And if that happens, an attacker could replace plugins with malicious versions and execute malicious code on the user's device. I wonder if it's possible to be able to download extensions using HTTPS? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
We download using http as openssl is a very large dependency to include by default. To ensure we're still secure, each official extension binary is signed with our key and verified upon loading |
Beta Was this translation helpful? Give feedback.
We download using http as openssl is a very large dependency to include by default. To ensure we're still secure, each official extension binary is signed with our key and verified upon loading