Re: Thoughts on script documentation

[Ron <ron () skullsecurity net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 24 Jan 2011 15:18:27 -0800 Fyodor <fyodor () insecure org> wrote:
> I'm not sure about that.  I think most Nmap users on Linux get their
> Nmap (and other software) updates through their distribution's
> repository system, which means updating the binaries as well as
> scripts.  Firefox might be a better example, since they have a
> multi-platform update system which can replace the engine as well as
> the architecture-independent files.  It might be worth examining more
> how that works.  Most Adobe software can be updated that way as well,
> and that is how Microsoft Windows Update works too.  Windows Update is
> Windows-only, but you get different binaries based on the version of
> Windows you are using.  Apple's iPhone App Store and new Mac App Store
> include binary update features.
>
> A big disadvantage of including platform-specific updates in an Nmap
> update system is that we'd need separate architecture-dependent
> channels and of course we'd have to build the binaries for each
> channel.  On the other hand, we already have such build systems
> available because we need them to build the new release binaries.  The
> advantages of such a system are that people would get the newest
> version of Nmap as well as its scripts, and we also wouldn't have to
> develop a dependency system to track the Nmap engine version required
> for each NSE script.  We would just have to make sure to include new
> binaries in the update stream whenever we make a change which is
> required for the newest scripts/libs.
>
> I'm not saying that a binary update mechanism is certainly the way to
> go, but we should keep it on the table.
>
> Of course the update system would have to utilize cryptographic
> signatures to prevent rogue updates (e.g. from MITM attacks).  But
> that is true even if we only update platform-independent code.  A
> rogue NSE script or library is roughly as dangerous as a rogue Nmap
> executable.
>
> Cheers,
> Fyodor
I'm amazingly late on this, but I'm catching up on old emails... 

I think you'll find a lot of people who are okay with updating scripts/plugins/whatever on a regular basis, but are 
hesitant to update the full software. I realize that's sort of odd, but it's something to keep in mind. .

Ron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAk1iz0gACgkQ2t2zxlt4g/QYPQCgj3GJ3woBNP5yiRQQTZ4OyMbs
lrgAoLnsQ8oxbLbWQrZiJFgzMekosqjO
=fUIz
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/