Hi James, If you are worried about dependency confusion attacks, you can set up your own package catalog on an internal server, delete the default catalogs from racket and add only a reference just your internal catalog. This way, "raco pkg install" will install all packages (and all their dependencies) only from a source which you have full control of.
I use a similar technique when I build my application on the CI server, to ensure that all packages and their dependencies are under source control and no untracked dependency sneaks in via a new package dependency. Alex. On Saturday, April 3, 2021 at 12:26:08 AM UTC+8 James Platt wrote: > > Are you bring this up because of the recent rise of dependency confusion > attacks? In any case, it would be good to know where Racket stands with > that. > > On Apr 1, 2021, at 12:39 PM, Sage Gerard wrote: > > > Are there any plans to publish GPG signatures for Racket installers, or > > at least upgrade the cryptographic hash function used for the checksums? > > > > If not, who would be a good person to talk to about contributing that? > > > > -- > > ~slg > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Racket Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to racket-users...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com > . > > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/7e7c1ff2-927b-4c1a-ad12-d35b4cf6a68en%40googlegroups.com.
