Re: [racket-users] Upgrading installer verification
On Apr 2, 2021, at 6:59 PM, Alex Harsányi wrote: > Hi James, > > If you are worried about dependency confusion attacks, you can set up your > own package catalog on an internal server, delete the default catalogs from > racket and add only a reference just your internal catalog. This way, "raco > pkg install" will install all packages (and all their dependencies) only from > a source which you have full control of. > > I use a similar technique when I build my application on the CI server, to > ensure that all packages and their dependencies are under source control and > no untracked dependency sneaks in via a new package dependency. Thanks. I had not though of that. My company will probably want to do something of the kind before we release anything to the public. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/A5666929-68E1-4A8F-94DC-B085633D17C5%40biomantica.com.
Re: [racket-users] Upgrading installer verification
There is indeed signing for Ubuntu ppas, but that's specific both to apt and to the ppa system. Sam On Fri, Apr 2, 2021, 9:29 PM Sage Gerard wrote: > No, I'm just looking for extra confidence when verifying installers. > > On that note, did Ubuntu require someone to sign packages to distribute > packages via apt? Can that be repurposed here? > > On 4/2/21 12:26 PM, James Platt wrote: > > > > Are you bring this up because of the recent rise of dependency confusion > attacks? In any case, it would be good to know where Racket stands with > that. > > > > On Apr 1, 2021, at 12:39 PM, Sage Gerard wrote: > > > >> Are there any plans to publish GPG signatures for Racket installers, or > >> at least upgrade the cryptographic hash function used for the checksums? > >> > >> If not, who would be a good person to talk to about contributing that? > >> > >> -- > >> ~slg > >> > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups "Racket Users" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to racket-users+unsubscr...@googlegroups.com. > >> To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com > . > > -- > > You received this message because you are subscribed to the Google > Groups "Racket Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to racket-users+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/8DEE7478-3E76-43EC-8691-AA44D016E764%40biomantica.com > . > > -- > ~slg > > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/3b144b15-e5a1-8139-496d-c1a36e401117%40sagegerard.com > . > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/CAK%3DHD%2BaS_J2_%2BT5nEsCLJpi0rEw4AcEKr3rz_PcKVjRNWcaCLA%40mail.gmail.com.
Re: [racket-users] Upgrading installer verification
No, I'm just looking for extra confidence when verifying installers. On that note, did Ubuntu require someone to sign packages to distribute packages via apt? Can that be repurposed here? On 4/2/21 12:26 PM, James Platt wrote: > > Are you bring this up because of the recent rise of dependency confusion > attacks? In any case, it would be good to know where Racket stands with that. > > On Apr 1, 2021, at 12:39 PM, Sage Gerard wrote: > >> Are there any plans to publish GPG signatures for Racket installers, or >> at least upgrade the cryptographic hash function used for the checksums? >> >> If not, who would be a good person to talk to about contributing that? >> >> -- >> ~slg >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Racket Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to racket-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com. > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/8DEE7478-3E76-43EC-8691-AA44D016E764%40biomantica.com. -- ~slg -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/3b144b15-e5a1-8139-496d-c1a36e401117%40sagegerard.com.
Re: [racket-users] Upgrading installer verification
Hi James, If you are worried about dependency confusion attacks, you can set up your own package catalog on an internal server, delete the default catalogs from racket and add only a reference just your internal catalog. This way, "raco pkg install" will install all packages (and all their dependencies) only from a source which you have full control of. I use a similar technique when I build my application on the CI server, to ensure that all packages and their dependencies are under source control and no untracked dependency sneaks in via a new package dependency. Alex. On Saturday, April 3, 2021 at 12:26:08 AM UTC+8 James Platt wrote: > > Are you bring this up because of the recent rise of dependency confusion > attacks? In any case, it would be good to know where Racket stands with > that. > > On Apr 1, 2021, at 12:39 PM, Sage Gerard wrote: > > > Are there any plans to publish GPG signatures for Racket installers, or > > at least upgrade the cryptographic hash function used for the checksums? > > > > If not, who would be a good person to talk to about contributing that? > > > > -- > > ~slg > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Racket Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to racket-users...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com > . > > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/7e7c1ff2-927b-4c1a-ad12-d35b4cf6a68en%40googlegroups.com.
Re: [racket-users] Upgrading installer verification
Are you bring this up because of the recent rise of dependency confusion attacks? In any case, it would be good to know where Racket stands with that. On Apr 1, 2021, at 12:39 PM, Sage Gerard wrote: > Are there any plans to publish GPG signatures for Racket installers, or > at least upgrade the cryptographic hash function used for the checksums? > > If not, who would be a good person to talk to about contributing that? > > -- > ~slg > > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/8DEE7478-3E76-43EC-8691-AA44D016E764%40biomantica.com.
Re: [racket-users] Upgrading installer verification
Thank you. On 4/1/21 12:42 PM, Sam Tobin-Hochstadt wrote: > I don't think we have plans to start signing installers. The code that > creates installers is in the `distro-build` package, and the use of > sha1 is here: > https://github.com/racket/distro-build/blob/21ccc39fc14408eea79aff035e508856a66adf89/distro-build-server/pack-built.rkt#L76 > > Sam > > On Thu, Apr 1, 2021 at 12:39 PM Sage Gerard wrote: >> Are there any plans to publish GPG signatures for Racket installers, or >> at least upgrade the cryptographic hash function used for the checksums? >> >> If not, who would be a good person to talk to about contributing that? >> >> -- >> ~slg >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Racket Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to racket-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com. -- ~slg -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/f7d2c349-27c1-130d-e6bd-98526ccc691b%40sagegerard.com.
Re: [racket-users] Upgrading installer verification
I don't think we have plans to start signing installers. The code that creates installers is in the `distro-build` package, and the use of sha1 is here: https://github.com/racket/distro-build/blob/21ccc39fc14408eea79aff035e508856a66adf89/distro-build-server/pack-built.rkt#L76 Sam On Thu, Apr 1, 2021 at 12:39 PM Sage Gerard wrote: > > Are there any plans to publish GPG signatures for Racket installers, or > at least upgrade the cryptographic hash function used for the checksums? > > If not, who would be a good person to talk to about contributing that? > > -- > ~slg > > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/CAK%3DHD%2Bbk-AFfBqea1ZpwooO-p%2B%3DpuByuWpNTTKTM9oPOTfEWLg%40mail.gmail.com.
[racket-users] Upgrading installer verification
Are there any plans to publish GPG signatures for Racket installers, or at least upgrade the cryptographic hash function used for the checksums? If not, who would be a good person to talk to about contributing that? -- ~slg -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com.
