On Apr 2, 2021, at 6:59 PM, Alex Harsányi wrote:
> Hi James,
>
> If you are worried about dependency confusion attacks, you can set up your
> own package catalog on an internal server, delete the default catalogs from
> racket and add only a reference just your internal catalog. This way,
There is indeed signing for Ubuntu ppas, but that's specific both to apt
and to the ppa system.
Sam
On Fri, Apr 2, 2021, 9:29 PM Sage Gerard wrote:
> No, I'm just looking for extra confidence when verifying installers.
>
> On that note, did Ubuntu require someone to sign packages to distribute
No, I'm just looking for extra confidence when verifying installers.
On that note, did Ubuntu require someone to sign packages to distribute
packages via apt? Can that be repurposed here?
On 4/2/21 12:26 PM, James Platt wrote:
>
> Are you bring this up because of the recent rise of dependency
Hi James,
If you are worried about dependency confusion attacks, you can set up your
own package catalog on an internal server, delete the default catalogs from
racket and add only a reference just your internal catalog. This way,
"raco pkg install" will install all packages (and all their
Are you bring this up because of the recent rise of dependency confusion
attacks? In any case, it would be good to know where Racket stands with that.
On Apr 1, 2021, at 12:39 PM, Sage Gerard wrote:
> Are there any plans to publish GPG signatures for Racket installers, or
> at least
Thank you.
On 4/1/21 12:42 PM, Sam Tobin-Hochstadt wrote:
> I don't think we have plans to start signing installers. The code that
> creates installers is in the `distro-build` package, and the use of
> sha1 is here:
>
I don't think we have plans to start signing installers. The code that
creates installers is in the `distro-build` package, and the use of
sha1 is here:
https://github.com/racket/distro-build/blob/21ccc39fc14408eea79aff035e508856a66adf89/distro-build-server/pack-built.rkt#L76
Sam
On Thu, Apr 1,
Are there any plans to publish GPG signatures for Racket installers, or
at least upgrade the cryptographic hash function used for the checksums?
If not, who would be a good person to talk to about contributing that?
--
~slg
--
You received this message because you are subscribed to the Google
8 matches
Mail list logo
