Let's talk about secure code delivery and automatic updates.
Here's a collection of writing on this topic:
- The Triangle of Secure Code Delivery - Aims to formalize a solution to the problem of secure code delivery, which I like to call the Triangle of Software Authenticity (delivery also includes transport layer concerns).
- Guide to Automatic Security Updates For PHP Developers describes how to build a secure code delivery system.
- Keyggdrasil, Continuum, and the Cryptography Powering CMS Airship describes an implementation that secures the automatic update features in our Free Software CMS, Airship.
- The Quick Guide to Simple and Secure Automatic Updates (published today) aims to educate developers about the tools that already exist that make secure automatic updates feasible (or will in the near future).
1. Does the proposed threat model make sense for an attacker who wants to compromise an update server to spread malware?
2. Does the triangle sufficiently prescribe a defensible means of mitigating and/or deterring such attacks?
3. What (if anything) can be done to make our model more robust? What can be done to make it simpler to interface with?