LabVIEW
VIPM Checksums
Solved!
@carlos_camargo wrote:
Does VIPM secretly use checksums? I don't see any at any of the pages for the various downloads.
For example:
https://www.vipm.io/package/delacor_lib_dqmh_toolkit/
How do we confirm the integrity of package files without a checksum to check against?
Google tells me that it does, but take that with a grain of salt, for I haven't verified that myself.
The VIP and other VIPM formats do have a checksum calculation. The only thing this protects from is involuntary corruption of the package datastream either on the server or in transit. It is almost 100% certain that such a corruption would also destroy the CRC checksum in the actual ZIP archive format that is used as container for these packages and would result in an unpack error from the unzip routines. So it does not really add any extra security.
Specifically it does not guarantee that the package was not altered by unauthorized people. Anybody with access to the servers, to change or replace a package file, can simply recreate the package with VIPM with whatever nefarious addition they like and replace the package file with their own creation.
VIPM also supports OpenG packages (*.ogp). These do not have an extra "secret" checksum in the package definition file (spec), but I see no reason why that would be less secure given the already present CRC feature of the used ZIP archive format. The VIP checksum really only serves as a protection to know that the package was indeed created with VIPM and nothing else (and I'm fairly sure I could find out how to sign an OpenG package with the VIPM signature to make it look like VIPM created).
@carlos_camargo wrote:
Thanks for that explanation. It is unfortunate that JKI didn't choose to implement a system to ensure data integrity, it seems that would be inexpensive and easy to implement. It would also give companies more assurance that VIPM packages are trustworthy, especially given that vipm.io is a small organization, that kind of assurance might tilt the scales significantly.
Security is not free of cost! A system that would allow to vet that the person posting a package on VIPM is really the person they claim they are and is not somehow secretly smuggling some less than unhelpful code into a package requires a lot of extra infrastructure, with a team of people actually verifying that a person is who they say they are, issuing according cryptographically protected certificates, using those certificates to sign every package and so on. It's possible but very expensive. Who is going to pay those cost?
JKI? They already cover the cost for developing VIPM, maintaining the vipm.io infrastructure, paying for hosting, domain name and data bandwidth. And while the professional licence for VIPM does cost money I'm very sure it does not pay for those costs. Adding more costs would not make this service more likely to exist.
The package providers? Think again, they develop those packages and provide them (mostly) for free use on the vipm.io repository. If I have to pay to have my package used by John Doe and Co for free, I have other hobbies that I would rather do! 😂
You as VIPM user? Fat chance! 😁
