juliaup icon indicating copy to clipboard operation
juliaup copied to clipboard
verified publisher icon JuliaLang

Host binary release on github as well

Open Moelf opened this issue 2 years ago • 6 comments

running curl | sh is a security hazard, it's more convenient for some people to just wget from a github URL and move binary file around.

Moelf avatar Apr 10 '23 17:04 Moelf

wouldn't downloading over the network pose the same risk? rustup even uses the same approach

uncomfyhalomacro avatar Apr 10 '23 21:04 uncomfyhalomacro

it's easy to check the hash of the downloaded binary, the recommended curl | sh approach is not so easy to check.

Partly because the server side can feed you different content based on if you did curl XXX or wget XXX: https://news.ycombinator.com/item?id=17636288

Moelf avatar Apr 11 '23 01:04 Moelf

running curl | sh is a security hazard

I came here for the same reason, but if given the option, I'd actually prefer to be able to use cargo install juliaup rather than download binaries from GitHub. I am confident that my Rust distribution is installed securely, and if my Julia installation could piggyback on that, it would be quite convenient.

garrison avatar Apr 19 '23 00:04 garrison

I don't want to install Rust :) I'm a Julia user, not a Rust user (yet)

Moelf avatar Apr 19 '23 00:04 Moelf

Actually, does juliaup even verify the authenticity of versions.json in any way? I scanned updateversiondb.jl and did not see any obvious checking of that file's signature. In fact, the url https://julialang-s3.julialang.org/bin/versions.json.asc doesn't even seem to exist.

Assuming I am not overlooking something, then there is probably little use worrying about curl | sh before this is fixed.

garrison avatar Apr 19 '23 00:04 garrison

that could be worth a separate issue to open. probably best to use minisign or signify for that

uncomfyhalomacro avatar Apr 19 '23 14:04 uncomfyhalomacro