Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rustup.sh and underlying binaries authentication #16442

Closed
l0kod opened this issue Aug 12, 2014 · 6 comments
Closed

rustup.sh and underlying binaries authentication #16442

l0kod opened this issue Aug 12, 2014 · 6 comments
Labels
A-security Area: Security (example: address space layout randomization).

Comments

@l0kod
Copy link
Contributor

l0kod commented Aug 12, 2014

After the #16123, a second step should be to sign all files needed for the installation. Each Rust versions are signed in the git repository. Great! If the "rustup.sh" is included in the git repository, it will be possible to anyone to verify the script (from a git tag) before executing it.

Maybe all (including nightly) underlying binaries hashes should "inherit" from the signature like with the "snapshots.txt" hashes? The main Rust repository or a dedicated one could aggregate all hashes.

So, the guide could be improved by replacing the "curl" instruction with a "git clone + verify-tag". This add some extra MB to the download but worth it for more security to users who care.
@l0kod
Copy link
Contributor Author

l0kod commented Aug 12, 2014

cc #15204

@steveklabnik
Copy link
Member

/cc @brson

@l0kod
Copy link
Contributor Author

l0kod commented Feb 11, 2015

cc rust-lang/crates.io#75

@vladimir-lu vladimir-lu mentioned this issue Feb 16, 2015
Closed
@steveklabnik
Copy link
Member

Triage: no changes I'm aware of.

@brson
Copy link
Contributor

brson commented Aug 22, 2016

cc rust-lang/rustup#241
cc rust-lang/rustup#242

@brson
Copy link
Contributor

brson commented Aug 22, 2016

Closing this since the specifics are pretty out of date.

@brson brson closed this as completed Aug 22, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-security Area: Security (example: address space layout randomization).
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@steveklabnik @brson @l0kod @thestinger