As far as I can tell, chicken-install (as of 5.0.0 and before): - Does not download packages over HTTPS, and - Does no package signing
Because of this, it would be trivial for anyone sitting between my computer and my mirror (i.e. when using public Wi-Fi or other untrusted networks) to tamper with the code I receive. This is bad as a malicious actor could potentially run code on my machine, or install code that will be run later, possibly even as root. I think it would be good to sign packages, and refuse to install a package if it has an invalid signature. HTTPS would also be nice, but is not necessary. I believe this is what Debian does by default; packages are signed and served over regular HTTP. The setup.defaults file containing a list of mirrors could contain a fingerprint, maybe per-repository so it would be possible to have an in-house repository that is signed with a different key, or unsigned. _______________________________________________ Chicken-users mailing list Chicken-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-users
