Hi James, If you are worried about dependency confusion attacks, you can set up your own package catalog on an internal server, delete the default catalogs from racket and add only a reference just your internal catalog. This way, "raco pkg install" will install all packages (and all their dependencies) only from a source which you have full control of.
I use a similar technique when I build my application on the CI server, to ensure that all packages and their dependencies are under source control and no untracked dependency sneaks in via a new package dependency. Alex. On Saturday, April 3, 2021 at 12:26:08 AM UTC+8 James Platt wrote: > > Are you bring this up because of the recent rise of dependency confusion > attacks? In any case, it would be good to know where Racket stands with > that. > > On Apr 1, 2021, at 12:39 PM, Sage Gerard wrote: > > > Are there any plans to publish GPG signatures for Racket installers, or > > at least upgrade the cryptographic hash function used for the checksums? > > > > If not, who would be a good person to talk to about contributing that? > > > > -- > > ~slg > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Racket Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com > . > > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/7e7c1ff2-927b-4c1a-ad12-d35b4cf6a68en%40googlegroups.com.
