[Chicken-users] chicken-install package integrity/signing

chicken-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-users] chicken-install package integrity/signing

From:	Jason Valencia
Subject:	[Chicken-users] chicken-install package integrity/signing
Date:	Sat, 24 Nov 2018 17:56:52 +0000

As far as I can tell, chicken-install (as of 5.0.0 and before):
- Does not download packages over HTTPS, and
- Does no package signing

Because of this, it would be trivial for anyone sitting between my
computer and my mirror (i.e. when using public Wi-Fi or other untrusted
networks) to tamper with the code I receive. This is bad as a malicious
actor could potentially run code on my machine, or install code that
will be run later, possibly even as root.

I think it would be good to sign packages, and refuse to install a
package if it has an invalid signature. HTTPS would also be nice, but is
not necessary. I believe this is what Debian does by default; packages
are signed and served over regular HTTP.

The setup.defaults file containing a list of mirrors could contain a
fingerprint, maybe per-repository so it would be possible to have an
in-house repository that is signed with a different key, or unsigned.

[Prev in Thread]

Current Thread

[Next in Thread]

[Chicken-users] chicken-install package integrity/signing, Jason Valencia <=
- Re: [Chicken-users] chicken-install package integrity/signing, Thomas Chust, 2018/11/25

Prev by Date: Re: [Chicken-users] pp and write ignore keyword-style
Next by Date: [Chicken-users] new egg: simple-timer
Previous by thread: [Chicken-users] Duplicate symbol errors with functors and -static flag
Next by thread: Re: [Chicken-users] chicken-install package integrity/signing
Index(es):
- Date
- Thread