Upgrading installer verification
65 views
Skip to first unread message
Sage Gerard
Apr 1, 2021, 12:39:26 PM4/1/21
to racket...@googlegroups.com
Are there any plans to publish GPG signatures for Racket installers, or
at least upgrade the cryptographic hash function used for the checksums?
If not, who would be a good person to talk to about contributing that?
--
~slg
at least upgrade the cryptographic hash function used for the checksums?
If not, who would be a good person to talk to about contributing that?
--
~slg
Sam Tobin-Hochstadt
Apr 1, 2021, 12:42:19 PM4/1/21
to Sage Gerard, Racket Users
I don't think we have plans to start signing installers. The code that
creates installers is in the `distro-build` package, and the use of
sha1 is here: https://github.com/racket/distro-build/blob/21ccc39fc14408eea79aff035e508856a66adf89/distro-build-server/pack-built.rkt#L76
Sam
> --
> You received this message because you are subscribed to the Google Groups "Racket Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com.
creates installers is in the `distro-build` package, and the use of
sha1 is here: https://github.com/racket/distro-build/blob/21ccc39fc14408eea79aff035e508856a66adf89/distro-build-server/pack-built.rkt#L76
Sam
> You received this message because you are subscribed to the Google Groups "Racket Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com.
Sage Gerard
Apr 1, 2021, 12:42:56 PM4/1/21
to Sam Tobin-Hochstadt, Racket Users
Thank you.
--
~slg
~slg
James Platt
Apr 2, 2021, 12:26:08 PM4/2/21
to Racket Users
Are you bring this up because of the recent rise of dependency confusion attacks? In any case, it would be good to know where Racket stands with that.
Alex Harsányi
Apr 2, 2021, 6:59:27 PM4/2/21
to Racket Users
Hi James,
If you are worried about dependency confusion attacks, you can set up your own package catalog on an internal server, delete the default catalogs from racket and add only a reference just your internal catalog. This way, "raco pkg install" will install all packages (and all their dependencies) only from a source which you have full control of.
I use a similar technique when I build my application on the CI server, to ensure that all packages and their dependencies are under source control and no untracked dependency sneaks in via a new package dependency.
Alex.
Sage Gerard
Apr 2, 2021, 9:29:19 PM4/2/21
to racket...@googlegroups.com
No, I'm just looking for extra confidence when verifying installers.
On that note, did Ubuntu require someone to sign packages to distribute
packages via apt? Can that be repurposed here?
> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/8DEE7478-3E76-43EC-8691-AA44D016E764%40biomantica.com.
--
~slg
On that note, did Ubuntu require someone to sign packages to distribute
packages via apt? Can that be repurposed here?
--
~slg
Sam Tobin-Hochstadt
Apr 2, 2021, 9:33:26 PM4/2/21
to Sage Gerard, Racket Users
There is indeed signing for Ubuntu ppas, but that's specific both to apt and to the ppa system.
Sam
To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/3b144b15-e5a1-8139-496d-c1a36e401117%40sagegerard.com.
James Platt
Apr 6, 2021, 1:19:40 PM4/6/21
to Racket Users
On Apr 2, 2021, at 6:59 PM, Alex Harsányi wrote:
> Hi James,
>
> If you are worried about dependency confusion attacks, you can set up your own package catalog on an internal server, delete the default catalogs from racket and add only a reference just your internal catalog. This way, "raco pkg install" will install all packages (and all their dependencies) only from a source which you have full control of.
>
> I use a similar technique when I build my application on the CI server, to ensure that all packages and their dependencies are under source control and no untracked dependency sneaks in via a new package dependency.
Thanks. I had not though of that. My company will probably want to do something of the kind before we release anything to the public. > Hi James,
>
> If you are worried about dependency confusion attacks, you can set up your own package catalog on an internal server, delete the default catalogs from racket and add only a reference just your internal catalog. This way, "raco pkg install" will install all packages (and all their dependencies) only from a source which you have full control of.
>
> I use a similar technique when I build my application on the CI server, to ensure that all packages and their dependencies are under source control and no untracked dependency sneaks in via a new package dependency.
Reply all
Reply to author
Forward
0 new messages