Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Thoughts on script documentation
From: Ron <ron () skullsecurity net>
Date: Mon, 21 Feb 2011 14:47:04 -0600

Hash: SHA1

On Mon, 24 Jan 2011 15:18:27 -0800 Fyodor <fyodor () insecure org> wrote:
I'm not sure about that.  I think most Nmap users on Linux get their
Nmap (and other software) updates through their distribution's
repository system, which means updating the binaries as well as
scripts.  Firefox might be a better example, since they have a
multi-platform update system which can replace the engine as well as
the architecture-independent files.  It might be worth examining more
how that works.  Most Adobe software can be updated that way as well,
and that is how Microsoft Windows Update works too.  Windows Update is
Windows-only, but you get different binaries based on the version of
Windows you are using.  Apple's iPhone App Store and new Mac App Store
include binary update features.

A big disadvantage of including platform-specific updates in an Nmap
update system is that we'd need separate architecture-dependent
channels and of course we'd have to build the binaries for each
channel.  On the other hand, we already have such build systems
available because we need them to build the new release binaries.  The
advantages of such a system are that people would get the newest
version of Nmap as well as its scripts, and we also wouldn't have to
develop a dependency system to track the Nmap engine version required
for each NSE script.  We would just have to make sure to include new
binaries in the update stream whenever we make a change which is
required for the newest scripts/libs.

I'm not saying that a binary update mechanism is certainly the way to
go, but we should keep it on the table.

Of course the update system would have to utilize cryptographic
signatures to prevent rogue updates (e.g. from MITM attacks).  But
that is true even if we only update platform-independent code.  A
rogue NSE script or library is roughly as dangerous as a rogue Nmap

I'm amazingly late on this, but I'm catching up on old emails... 

I think you'll find a lot of people who are okay with updating scripts/plugins/whatever on a regular basis, but are 
hesitant to update the full software. I realize that's sort of odd, but it's something to keep in mind. .

Version: GnuPG v1.4.9 (GNU/Linux)

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]