Please take a look and give me your thoughts here.
We don't want security by obscurity. The comment there says this:
This function could be the key to us downloading new versions of Qbix, and overriding existing files. So when executing includeFile() we could go into some secure database table for example, like users_code, and check if it has an override for that file, together with at least two signatures.
Normally this would be a very dangerous vector (to execute arbitrary PHP, maybe not as a root user but as a user who can read/write uploaded files etc.)
So the function requires at least two signatures (with asymmetric key cryptography, not symmetric secret key that can leak). That means that the release can be signed by at least two entities that check the code. It could be the developers, as well as some second organization. That way, compromising one organization is not enough, you need to compromise two. In addition there is a whitelist in config, which should be updated and remove one of the keys if it was ever announced to be compromised, by holders of the other keys.
Read the notes ... basically this is not less secure than someone just trusting https://officialsite.com certificate and downloading arbitrary php installer code in SSH.
This would allow our site installations by "normies" be updated without asking them to go into SSH and execute commands. It would also work on any environment even if PHP has no access to write files, as long as it has access to one database.
Please take a look and give me your thoughts here.
They do a lot of security related work for PHP. It was them that added libsodium cryptography library to PHP. They have a few well known open source projects about cryptography and secure practices.
Please take a look and give me your thoughts here.
We don't want security by obscurity. The comment there says this:
This function could be the key to us downloading new versions of Qbix, and overriding existing files. So when executing includeFile() we could go into some secure database table for example, like users_code, and check if it has an override for that file, together with at least two signatures.
Normally this would be a very dangerous vector (to execute arbitrary PHP, maybe not as a root user but as a user who can read/write uploaded files etc.)
So the function requires at least two signatures (with asymmetric key cryptography, not symmetric secret key that can leak). That means that the release can be signed by at least two entities that check the code. It could be the developers, as well as some second organization. That way, compromising one organization is not enough, you need to compromise two. In addition there is a whitelist in config, which should be updated and remove one of the keys if it was ever announced to be compromised, by holders of the other keys.
Read the notes ... basically this is not less secure than someone just trusting https://officialsite.com certificate and downloading arbitrary php installer code in SSH.
This would allow our site installations by "normies" be updated without asking them to go into SSH and execute commands. It would also work on any environment even if PHP has no access to write files, as long as it has access to one database.
Please take a look and give me your thoughts here.