Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

will the new owners of this extension stop fucking it up and being shady? #1328

Open
spmedia opened this issue Feb 7, 2021 · 4 comments
Open

will the new owners of this extension stop fucking it up and being shady? #1328

spmedia opened this issue Feb 7, 2021 · 4 comments

Comments

@spmedia
Copy link

spmedia commented Feb 7, 2021
edited
Loading

Thanks

#1175 (comment)
#1263
https://www.bleepingcomputer.com/news/software/the-great-suspender-chrome-extensions-fall-from-grace/

Beware. Stop using this ASAP.
@XxX-Force
Copy link

Just install 7.16 from the source. Takes less than 1 minute. Simple. Done.

7.16 is located here:

https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6

Instructions for installing it are located here:

https://github.com/greatsuspender/thegreatsuspender#install-as-an-extension-from-source

@mirfilip
Copy link

mirfilip commented Feb 7, 2021
edited
Loading

Just install 7.16 from the source. Takes less than 1 minute. Simple. Done.

7.16 is located here:

https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6

Instructions for installing it are located here:

https://github.com/greatsuspender/thegreatsuspender#install-as-an-extension-from-source

Actually, as shady maintainer is still in power, he/she can replace the old tag with something new. Installing from source has no mechanisms for verifying checksums etc. so you won't even know. Just drop this extension and go over to https://github.com/gioxx/MarvellousSuspender if you still want to stick to it.

@XxX-Force
Copy link

How is anything from https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6 going to be modified without date changes recorded for the time it was modified. I am not a GitHub expert by any stretch of the imagination, but although there may not be a checksum, there is a commit signature verification, and a GPG key ID of: 4AEE18F83AFDEB23. It clearly states that:

"deanoemcke released this on May 23, 2020"

.. so how can the new entity "replace the old tag with something new" without my being able to know? And, since it is installed from source locally, it will not auto-update. I've crippled the google analytics (that were always present) .. which doesn't even have to be done unless anyone is concerned about it, or just doesn't want it (like me), it's just standard google analytics .. so I just don't get how doing what I suggested here could cause any security issue, but I am honestly happy to learn.

I have nothing against MarvellousSuspender or what seems to me to be another good option from @aciidic called "thegreatsuspender-notrack", I just don't feel the need to switch with the way I have TGS 7.16 set up right now, and I would gladly learn how I am making a mistake in thinking this way.

"he/she can replace the old tag with something new ... you won't even know"

How though? I apologize for the ignorance.

@mirfilip
Copy link

mirfilip commented Feb 24, 2021
edited
Loading

How is anything from https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6 going to be modified without date changes recorded for the time it was modified. I am not a GitHub expert by any stretch of the imagination, but although there may not be a checksum, there is a commit signature verification, and a GPG key ID of: 4AEE18F83AFDEB23. It clearly states that:

"deanoemcke released this on May 23, 2020"

.. so how can the new entity "replace the old tag with something new" without my being able to know? And, since it is installed from source locally, it will not auto-update. I've crippled the google analytics (that were always present) .. which doesn't even have to be done unless anyone is concerned about it, or just doesn't want it (like me), it's just standard google analytics .. so I just don't get how doing what I suggested here could cause any security issue, but I am honestly happy to learn.

I have nothing against MarvellousSuspender or what seems to me to be another good option from @aciidic called "thegreatsuspender-notrack", I just don't feel the need to switch with the way I have TGS 7.16 set up right now, and I would gladly learn how I am making a mistake in thinking this way.

"he/she can replace the old tag with something new ... you won't even know"

How though? I apologize for the ignorance.

@XxX-Force
A maintainer can overwrite any GitHub tag. Commit hashes and commit date will change, of course. If you blindly take a tag, checkout, install from source, just because "it's an old version", you are likely not going to check history and dates to look for something suspicious. As for GPG keys - we don't know if new maintainers reuse the original maintainer keys, it may well be. I didn't check that though. My point was more a general one - one just doesn't blindly trust GH tags, as they have no checksum verification, bar some metadata checks like GPG signature, not the code checksums. Of course, unless you go through extra steps like comparing code etc.

Anyhow, I'm not an advocate for MarvellousSuspender or any other solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spmedia @mirfilip @XxX-Force