Hello all! Today I was thinking about the security implications of automatically downloading and intalling a LuaRocks release, and I noticed that releases are not signed in any way, and are served over plain ol' HTTP (read: no encryption). It would be interesting to be able to know whether a release tarball has been tampered with, to be confident that harmful code has not been introduced.
I have an idea [1] a possible workaround when using Rockz (a Zsh plugin
which provides a virtualenv-alike tool), but it would still be a good
thing that releases would be provided with an accompanying PGP
signature. This would be as easy as running:
% gpg --detach-sign --armor luarocks-X.Y.Z.tar.gz
and including the generated “luarocks-X.Y.Z.tar.gz.asc” file in the
releases download page. In order to verify the signature, once the
signature and the tarball are downloaded in the same location, this
would be done:
% gpg --verify luarocks-X.Y.Z.tar.gz.asc
Is there any chance that upcoming releases could be signed?
Cheers, and thanks for listening^W reading :-)
--
☛ Adrián
P.S: A different topic (interesting by itself) would be having support
for providing signed rocks/rockspecs, and that “luarocks install”
would verify the signatures of the packages it is installing...
[1] https://github.com/aperezdc/rockz/issues/2
signature.asc
Description: signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Luarocks-developers mailing list Luarocks-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/luarocks-developers
