On Mon, Jul 3, 2017 at 8:08 AM, liangqi (D) <[email protected]> wrote:
> Thanks for the info. > > I've checked the rvm's install guide at https://rvm.io/rvm/install, and > it seems that the install script itself at the https://get.rvm.io is not > verified by gpg, the gpg keys is for the rvm packages' verify. > > At the link https://sandstorm.io/news/2015-09-24-is-curl-bash- > insecure-pgp-verified-install, it gives a way to sign installing script > itself(https://docs.sandstorm.io/en/latest/install/#option- > 3-pgp-verified-install). > > Also I checked by default opnfv.org is hosted as https. > > Follow sandstorm.io's way, when we finally release the script, we put it > to https://get.opnfv.org/ephrates/quickstart.sh, the script's signature > file to https://get.opnfv.org/ephrates/quickstart.sh.sig, the pgp key at > https://raw.githubusercontent.com/opnfv/releng/master/keys/ > release-keyring.gpg > > Then for those who do not trust https, can use below commands to use > quickstart.sh scrpt. > > ```bash > curl https://raw.githubusercontent.com/opnfv/releng/master/keys/ > release-keyring.gpg | \ > gpg --import > wget https://get.opnfv.org/ephrates/quickstart.sh > wget https://get.opnfv.org/ephrates/quickstart.sh.sig > gpg --verify quickstart.sh.sig quickstart.sh > bash quickstart.sh > ``` > > Those who trust https or at least trust github can still use: > > ```bash > curl https://get.opnfv.org/ephrates/quickstart.sh | bash > ``` > > The above is better, as its on our infra then. > or > > ```bash > wget https://raw.githubusercontent.com/opnfv/releng/ephrates/ > quickstart/quickstart.sh > bash quickstart.sh > ``` > > Is it ok? > > Yep, I am totally ok with that approach. That way we give people who want the secure option, a means to do so. Thanks for being receptive to this.Good work! > Best Regards, > Qi Liang > ------------------------------ > *From:* Luke Hinds [[email protected]] > *Sent:* Friday, June 30, 2017 17:52 > > *To:* liangqi (D) > *Cc:* [email protected]; [email protected]; > [email protected] > *Subject:* Re: [opnfv-tech-discuss] [Infra][Pharos][Releng][Octopus] > Proposal to implement installers' quickstart wrapper scripts > > Some articles on risks: > > https://sysdig.com/blog/friends-dont-let-friends-curl-bash/ > > https://www.seancassidy.me/dont-pipe-to-your-shell.html > > https://sandstorm.io/news/2015-09-24-is-curl-bash- > insecure-pgp-verified-install > > The safest way to do this is using GPG with --recv-key and --verify, I am > sure with some creativity its possible to get it into one line. I believe > rvm do this. > > On Fri, Jun 30, 2017 at 4:06 AM, liangqi (D) <[email protected]> wrote: > >> Thanks for pointing out this security issue. >> >> I think curl | bash install is the easiest way to deploying a system, and >> with minimum dependency. Could you please some examples on how to use >> checksum to insure the script is securely executed. >> >> I saw at the head of https://get.docker.com/ has the info like: >> >> ```bash >> # This script is meant for quick & easy install via: >> # $ curl -fsSL get.docker.com -o get-docker.sh >> # $ sh get-docker.sh >> # >> # For test builds (ie. release candidates): >> # $ curl -fsSL test.docker.com -o test-docker.sh >> # $ sh test-docker.sh >> # >> # NOTE: Make sure to verify the contents of the script >> # you downloaded matches the contents of install.sh >> # located at https://github.com/docker/docker-install >> # before executing. >> ``` >> >> Best Regards, >> Qi Liang >> ------------------------------ >> *From:* Luke Hinds [[email protected]] >> *Sent:* Thursday, June 29, 2017 18:32 >> *To:* liangqi (D) >> *Cc:* [email protected]; [email protected]; >> [email protected] >> *Subject:* Re: [opnfv-tech-discuss] [Infra][Pharos][Releng][Octopus] >> Proposal to implement installers' quickstart wrapper scripts >> >> Hi, >> >> Don't want to detract from the topic, but please do not use curl | bash, >> its dangerous and if opnfv.org is every compromised, scripts like this >> could be used to back door all the PODS and test sites deployed by end >> users. >> >> If deploying a system this way, then use a checksum (with sha256 or >> stronger) to first to insure the script has not been tampered with (I have >> examples if some are needed). >> >> Cheers, >> >> Luke >> >> On Thu, Jun 29, 2017 at 10:54 AM, liangqi (D) <[email protected]> >> wrote: >> >>> Hi, >>> >>> In OPNFV we have 4 installers in Danube release, we will have more in >>> the next release. Each of them supports multiple scenarios and has >>> different install user steps. This is quite confusing and difficult to use, >>> especially for the newbies. >>> >>> In releng we already have scripts to trigger all installers' deploy and >>> test, but the scripts are CI oriented, not user oriented. >>> >>> So I proposal to implement wrapper scripts in releng to provide easy way >>> for people to try opnfv. With minimum requirement(a server with Ubuntu >>> 14.04/16.04 or CentOS7 installed and with internet connectivity), without >>> checking detail installers' install guide, just run one command you will >>> get your environment ready. >>> >>> The simplest way to install opnfv environment will be like: >>> `curl https://get.opnfv.org/ephrates/quickstart.sh | bash`. >>> >>> For each installer we may have one command deploy like: >>> `curl https://get.opnfv.org/ephrates/compass/quickstart.sh | bash` >>> >>> Basic virtual deploy workflows: >>> >>> 1. Run command (e.g. `curl https://get.opnfv.org/ephrates/quickstart.sh >>> | bash`) >>> 2. Check environment >>> 3. Fetch supported installers and select one installer >>> 4. Generate the deploy command and execute >>> 5. Verify the deployed environment >>> 6. Deploy success >>> >>> For BareMetal deployment the workflow are almost the same, the only >>> different is you need prepare physical servers/switches, connect the >>> cables, setup the switches, create a pod-descriptor file, and run the >>> deploy command with the pod-descriptor file. >>> >>> The attached slide illustrate the initial idea, which was shared by >>> Justin at the OPNFV Summit in Beijing. >>> Here is the initial script patch: https://gerrit.opnfv.org/gerri >>> t/#/c/36711/ >>> >>> @Uli, I saw you've sent the latest infra working group meeting agenda in >>> the mailing list. Could you please include the topic to the infra working >>> group meeting agenda. >>> >>> Welcome feedback, comments, discuss here or at the infra working group >>> meeting. >>> >>> Best Regards, >>> Qi Liang >>> >>> _______________________________________________ >>> opnfv-tech-discuss mailing list >>> [email protected] >>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss >>> >>> >> >> >> -- >> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat >> e: [email protected] | irc: lhinds @freenode | m: +44 77 45 63 98 84 | >> t: +44 12 52 36 2483 >> > > > > -- > Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat > e: [email protected] | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 > 12 52 36 2483 > -- Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: [email protected] | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
