Insecure updates are the rule, not the exception
The Update Framework
As with most things in open source, you don't have to reinvent the wheel. The Update Framework (TUF)  is available under an open source license (but not one I recognize) and is written mostly in Python, so it's pretty understandable. Even better is that all the above security issues have been taken into account for the system design and implementation. It even addresses possible problems like key compromise.
One basic thing to keep in mind about security, especially for software updates, is that you need to make your system as secure as you can, but you also need to make it possible to return to a known good state (i.e., you have removed all the compromised packages and so on from your update infrastructure).
TUF places all of the heavy lifting on the server and end client. Thus, the intermediary mirror systems don't even need to know about it, which in turn makes deployment possible (trying to get a major mirror site to install some software so they can securely serve updates is a battle you will lose). Unfortunately, TUF isn't perfect – the only client is written in Python, so integrating it with non-Python software or on systems that don't natively support Python (e.g., Windows) will be difficult, to say the least. For more information, an excellent lightning talk is available on YouTube  that covers all the basics of TUF using PyPI.
You can certainly use TUF to secure updates, but, unfortunately, deploying TUF is nontrivial. You're going to need at least two servers (in case one fails) and some keys that will require management. That means it's probably not going to be used; in fact, I'm not aware of any software that uses TUF for updates. So, unless people start demanding that organizations and vendors, like WordPress, Drupal, Joomla, RubyGems, PyPI, Hackage, CPAN, and so on, start providing secure updates for all the code they make available, it isn't going to happen.
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
- HTP Zine 5: http://straylig.ht/zines/HTP5/0x02_Linode.txt
- Social Media Widget remote file inclusion: http://seclists.org/oss-sec/2013/q2/83
- OpenPGP Card: http://en.wikipedia.org/wiki/OpenPGP_card
- Kernel Concepts Security/Smartcards: http://shop.kernelconcepts.de/index.php?cPath=1_26
- The Update Framework: https://www.updateframework.com/
- TUF lightning talk: https://www.youtube.com/watch?v=2sx1lS6cT3g
Buy this article as PDF
Azure CTO says Redmond has already considered the unthinkable.
Lead developer quells rumors that the Debian version is slated for center stage.
MSBuild is now just another GitHub project as Redmond continues its path to the light.
Malware could pass data and commands between disconnected computers without leaving a trace on the network.
New rules emphasize collegiality in coding.
Upstart lands in the dust bin as a new era begins for Linux.
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.