Hello all, Quoting Hisham (2016-10-22 22:53:02) > On Oct 22, 2016 4:37 PM, "Adrián Pérez de Castro" <ape...@igalia.com> wrote: > > > > Hi! > > > > Quoting Nagaev Boris (2016-10-22 19:22:52) > > > On Sat, Oct 22, 2016 at 6:56 PM, Adrián Pérez de Castro > > > <ape...@igalia.com> wrote: > > > > Hello all! > > > > > > > > Today I was thinking about the security implications of automatically > > > > downloading and intalling a LuaRocks release, and I noticed that > > > > releases are not signed in any way, and are served over plain ol' HTTP > > > > > > luarocks.org uses https. > > > > The link at the wiki page with installation instructions at > > https://github.com/keplerproject/luarocks/wiki/Download#Downloading has > > the following link pointing to the releases: > > > > http://luarocks.org/releases > > > > which is a redirect to > > > > http://keplerproject.github.io/luarocks/releases/ > > Well, since that is a wiki, that link was easy to fix. :) > > > I have just noticed that manually changing the URL to have "https://"; as > > the scheme works, but unfortunately the redirect is sent to plain HTTP: > > > > % curl -si https://luarocks.org/releases | grep '^Location:' > > Location: http://keplerproject.github.io/luarocks/releases > > % > > Leaf, can you look at this redirect? > > > > > (read: no encryption). It would be interesting to be able to know > > > > whether a release tarball has been tampered with, to be confident that > > > > harmful code has not been introduced. > > > > > > > > I have an idea [1] a possible workaround when using Rockz (a Zsh > plugin > > > > which provides a virtualenv-alike tool), but it would still be a good > > > > thing that releases would be provided with an accompanying PGP > > > > signature. This would be as easy as running: > > > > > > > > % gpg --detach-sign --armor luarocks-X.Y.Z.tar.gz > > > > > > > > and including the generated “luarocks-X.Y.Z.tar.gz.asc” file in the > > > > releases download page. In order to verify the signature, once the > > > > signature and the tarball are downloaded in the same location, this > > > > would be done: > > > > > > > > % gpg --verify luarocks-X.Y.Z.tar.gz.asc > > That seems simple enough! I can look into generating and uploading these > .asc files.
Thanks a lot! I am looking forward the signed releases -- once the next one is out, I'll make Rockz verify them automatically on install [1]. -- ☛ Adrián [1] https://github.com/aperezdc/rockz/issues/2
signature.asc
Description: signature
------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik
_______________________________________________ Luarocks-developers mailing list Luarocks-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/luarocks-developers
