On Oct 22, 2016 4:37 PM, "Adrián Pérez de Castro" <[email protected]> wrote:
>
> Hi!
>
> Quoting Nagaev Boris (2016-10-22 19:22:52)
> > On Sat, Oct 22, 2016 at 6:56 PM, Adrián Pérez de Castro
> > <[email protected]> wrote:
> > > Hello all!
> > >
> > > Today I was thinking about the security implications of automatically
> > > downloading and intalling a LuaRocks release, and I noticed that
> > > releases are not signed in any way, and are served over plain ol' HTTP
> >
> > luarocks.org uses https.
>
> The link at the wiki page with installation instructions at
> https://github.com/keplerproject/luarocks/wiki/Download#Downloading has
> the following link pointing to the releases:
>
> http://luarocks.org/releases
>
> which is a redirect to
>
> http://keplerproject.github.io/luarocks/releases/
Well, since that is a wiki, that link was easy to fix. :)
> I have just noticed that manually changing the URL to have "https://"; as
> the scheme works, but unfortunately the redirect is sent to plain HTTP:
>
> % curl -si https://luarocks.org/releases | grep '^Location:'
> Location: http://keplerproject.github.io/luarocks/releases
> %
Leaf, can you look at this redirect?
> > > (read: no encryption). It would be interesting to be able to know
> > > whether a release tarball has been tampered with, to be confident that
> > > harmful code has not been introduced.
> > >
> > > I have an idea [1] a possible workaround when using Rockz (a Zsh
plugin
> > > which provides a virtualenv-alike tool), but it would still be a good
> > > thing that releases would be provided with an accompanying PGP
> > > signature. This would be as easy as running:
> > >
> > > % gpg --detach-sign --armor luarocks-X.Y.Z.tar.gz
> > >
> > > and including the generated “luarocks-X.Y.Z.tar.gz.asc” file in the
> > > releases download page. In order to verify the signature, once the
> > > signature and the tarball are downloaded in the same location, this
> > > would be done:
> > >
> > > % gpg --verify luarocks-X.Y.Z.tar.gz.asc
That seems simple enough! I can look into generating and uploading these
.asc files.
-- Hisham
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Luarocks-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/luarocks-developers
