docker-development-box icon indicating copy to clipboard operation
docker-development-box copied to clipboard

Published 20 hours ago verified publisher icon ho-nl

Verify hash of the downloaded file to (re)install PHP

Open zetxek opened this issue 4 years ago • 3 comments

In the README it's suggested to execute:

curl -s https://raw.githubusercontent.com/ho-nl/docker-development-box/master/install.sh | bash -s -- -i

There is no validation of the remove script. It's a best practice to avoid somebody from impersonating/replacing the script that will do crucial system tasks.

References:

  • https://superuser.com/a/498940/87723
  • https://optimalbi.com/checking-a-checksum-cryptographic-hash-function-with-powershell-and-bash-shell/

zetxek avatar Aug 26 '20 09:08 zetxek

Fair point. It doesn't really need to be executed over the network. composer require bla/bla and running the install script from the vendor folder should work as well.. Might that be a better alternative?

paales avatar Aug 26 '20 13:08 paales

I think that should be already better, as the user can go and check the script themselves, and there's no risk of DNS hijacking or something like that :-)

zetxek avatar Aug 26 '20 14:08 zetxek

If you've got the time to restructure the README to make this clear, that would be appreciated.

paales avatar Aug 26 '20 15:08 paales

Fixed in https://github.com/ho-nl/docker-development-box/commit/03c3754e049fbe9081c47ca2488046a2c08bd347

hnsr avatar Jul 16 '24 08:07 hnsr