Hi Jason, On Sun, 23 Dec 2018 23:55:56 +0000 Jason Valencia <[email protected]> wrote:
> Mario Domenech Goulart wrote: >> On Sun, 23 Dec 2018 00:11:51 +0000 Jason Valencia <[email protected]> wrote: >> > Until this is resolved, is anyone aware of good ways to install eggs >> > more securely? A couple options come to mind but they seem overkill. >> > >> > - Running a local egg mirror with henrietta as it looks like it can >> > fetch over HTTPS >> > >> > - Downloading packages with chicken-install -retrieve (to just >> > download instead of installing) and manually inspecting each one >> >> We actually have tarballs for eggs. They are not used by any tool, so >> I guess nobody is really making use of them so far. Anyway, they are >> here: https://code.call-cc.org/egg-tarballs/ >> >> They are served via HTTPS and there are checksum files for the >> tarballs. They are not signed, though. There is an index file for >> each tarball repository (one per major CHICKEN version). For example, >> for CHICKEN 5: https://code.call-cc.org/egg-tarballs/5/index.gz >> (gzip-compressed). >> >> The format of the index is: >> >> * The first line is the index format version >> >> * the following lines have this format: >> (<egg> <version> <tarball size> <tarball SHA1 sum> <dependencies> <test >> dependencies>) > > Thanks, that is very helpful. > >> I have a very ugly script that generates a Makefile to fetch, unpack >> and install egg tarballs. If you are interested, let me know. > > That would be great! Even if it is ugly it should give me a better > understanding of how this works. Ok. I've uploaded it to https://github.com/mario-goulart/egg-layer . I've added a README file with some notes. I should repeat and emphasize that this is a very ugly hack. All the best. Mario -- http://parenteses.org/mario _______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
