You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 8, 2019. It is now read-only.
BTW. The fix which has been merged into https://github.com/nextcloud/vm could also be used here.
The build script still downloads both the packages and OpenPGP key via HTTP without even checking the fingerprint.
Ref: nextcloud/vm#19
I don’t use either of your VMs. I just wanted to draw your attention back at this issue which makes your build process vulnerable. Please feel encouraged to get familiar with this area and I will be happy to review your PR and give you feedback.
See jchaney/owncloud#12
Vulnerable lines: https://github.com/owncloud/vm/blob/cf6aa232b4e6731bddf00dfd804070cd461eeeb2/vagrant/oc9ce/build-ubuntu-vm.sh#L136
Downloading the PGP key via HTTP and then downloading the packages from the same origin does not make any sense!
The text was updated successfully, but these errors were encountered: