Has someone verified that sage doesn't download code over unencrypted channels?
81 views
Skip to first unread message
Georgi Guninski
Feb 10, 2025, 3:44:18 AMFeb 10
to sage-...@googlegroups.com
Downloading and running code over unencrypted channels like 'http://'
is dangerous from security point of view.
The question includes building sage from source.
Searching:
$/tmp/sage-10.5$ grep -rnI 'http://' .| grep -v -w gnu | grep -v -w
sagemath | wc -l
1306
is dangerous from security point of view.
The question includes building sage from source.
Searching:
$/tmp/sage-10.5$ grep -rnI 'http://' .| grep -v -w gnu | grep -v -w
sagemath | wc -l
1306
Michael Orlitzky
Feb 10, 2025, 9:36:24 AMFeb 10
to sage-...@googlegroups.com
On 2025-02-10 10:43:37, Georgi Guninski wrote:
> Downloading and running code over unencrypted channels like 'http://'
> is dangerous from security point of view.
There's a sha256 hash in each build/pkgs/<package>/checksums.ini. So
> Downloading and running code over unencrypted channels like 'http://'
> is dangerous from security point of view.
long as the developer who commits checksums.ini has either (a)
verified the upstream signature or (b) used a secure channel, the
channel eventually used by the user doesn't matter too much.
(I doubt that anyone is actually doing this for http:// tarballs, but
there is a solution for this problem.)
Georgi Guninski
Feb 10, 2025, 10:32:36 AMFeb 10
to sage-...@googlegroups.com
FWIW:
$find /tmp/sage-10.5/ -name checksums.ini -exec grep -E
"http://|ftp://" {} \; | wc -l
7
This appears dynamic:
upstream_url=ftp://jim.mathematik.uni-kl.de/pub/Math/Singular/SOURCES/${VERSION_MAJOR}-${VERSION_MINOR}-${VERSION_MICRO}/singular-VERSION.tar.gz
$find /tmp/sage-10.5/ -name checksums.ini -exec grep -E
"http://|ftp://" {} \; | wc -l
7
This appears dynamic:
upstream_url=ftp://jim.mathematik.uni-kl.de/pub/Math/Singular/SOURCES/${VERSION_MAJOR}-${VERSION_MINOR}-${VERSION_MICRO}/singular-VERSION.tar.gz
Dima Pasechnik
Feb 10, 2025, 10:38:05 AMFeb 10
to sage-...@googlegroups.com
I suppose most http: strings are in documentation.
Georgi Guninski
Feb 10, 2025, 12:29:01 PMFeb 10
to sage-...@googlegroups.com
On Mon, Feb 10, 2025 at 5:38 PM Dima Pasechnik <dim...@gmail.com> wrote:
>
> I suppose most http: strings are in documentation.
>
I think this is not the case.
>
> I suppose most http: strings are in documentation.
>
The original command skips sagemath via `grep -v -w sagemath`
On an empty tree:
$grep -E -r "http://www.sagemath|http://sagemath" /tmp/sage-10.5/| wc -l
87
Nils Bruin
Feb 10, 2025, 2:52:20 PMFeb 10
to sage-devel
There's an interesting one in
./build/sage_bootstrap/download/mirror_list.py:
which would probably be better as https. Because of the checksums I don't think there's much direct risk from it, but it does open up sage-generated traffic to theoretical MITM attacks. DNS interceptions (which are outside of sage's control) are likely much more dangerous, but why not use https:// instead?
Scanning through the other ones, I think they are all in copyright banners and documentation. Note that http://www.sagemath.org/ redirects to https://www.sagemath.org/ anyway, so changing this to https:// shouldn't reduce any compatibility/functionality and would remove one possible MITM operation (with uncertain effects).
Reply all
Reply to author
Forward
0 new messages