Nmap Development mailing list archives
Re: Thoughts on script documentation
From: Ron <ron () skullsecurity net>
Date: Mon, 21 Feb 2011 14:47:04 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 24 Jan 2011 15:18:27 -0800 Fyodor <fyodor () insecure org> wrote:
I'm not sure about that. I think most Nmap users on Linux get their Nmap (and other software) updates through their distribution's repository system, which means updating the binaries as well as scripts. Firefox might be a better example, since they have a multi-platform update system which can replace the engine as well as the architecture-independent files. It might be worth examining more how that works. Most Adobe software can be updated that way as well, and that is how Microsoft Windows Update works too. Windows Update is Windows-only, but you get different binaries based on the version of Windows you are using. Apple's iPhone App Store and new Mac App Store include binary update features. A big disadvantage of including platform-specific updates in an Nmap update system is that we'd need separate architecture-dependent channels and of course we'd have to build the binaries for each channel. On the other hand, we already have such build systems available because we need them to build the new release binaries. The advantages of such a system are that people would get the newest version of Nmap as well as its scripts, and we also wouldn't have to develop a dependency system to track the Nmap engine version required for each NSE script. We would just have to make sure to include new binaries in the update stream whenever we make a change which is required for the newest scripts/libs. I'm not saying that a binary update mechanism is certainly the way to go, but we should keep it on the table. Of course the update system would have to utilize cryptographic signatures to prevent rogue updates (e.g. from MITM attacks). But that is true even if we only update platform-independent code. A rogue NSE script or library is roughly as dangerous as a rogue Nmap executable. Cheers, Fyodor
I'm amazingly late on this, but I'm catching up on old emails... I think you'll find a lot of people who are okay with updating scripts/plugins/whatever on a regular basis, but are hesitant to update the full software. I realize that's sort of odd, but it's something to keep in mind. . Ron -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAk1iz0gACgkQ2t2zxlt4g/QYPQCgj3GJ3woBNP5yiRQQTZ4OyMbs lrgAoLnsQ8oxbLbWQrZiJFgzMekosqjO =fUIz -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Thoughts on script documentation Jan-Oliver Wagner (Jan 04)
- Re: Thoughts on script documentation Fyodor (Jan 04)
- Re: Thoughts on script documentation Jan-Oliver Wagner (Jan 05)
- Re: Thoughts on script documentation Fyodor (Jan 24)
- Re: Thoughts on script documentation alexandru (Jan 24)
- Re: Thoughts on script documentation Ron (Feb 21)
- Re: Thoughts on script documentation Jan-Oliver Wagner (Feb 28)
- Re: Thoughts on script documentation Djalal Harouni (Mar 11)
- Re: Thoughts on script documentation Jan-Oliver Wagner (Jan 05)
- Re: Thoughts on script documentation Fyodor (Jan 04)
- <Possible follow-ups>
- Re: Thoughts on script documentation David Fifield (Jan 12)