GNU bug report logs - #34125
Installation script needs to be secured with a gpg signature

Previous Next

Package: guix;

Reported by: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>

Date: Fri, 18 Jan 2019 15:24:01 UTC

Severity: normal

Done: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
To: 34125 <at> debbugs.gnu.org
Subject: bug#34125: Installation script needs to be secured with a gpg signature
Date: Fri, 18 Jan 2019 16:23:01 +0100

[Message part 1 (text/plain, inline)]
I was looking at the installation video from Laura (not yet public) and
wondered about that:

We just download the installation script:

$ wget https://.../guix-install.sh

Then we go on directly executing that script.

Shouldn't that be save-garded by a PGP-signature too?

Because if it is not, the user could be tricked into a script that
downloads a "bad" Guix installation tarball. That's what we are always
criticising about others wget-scripts that install whatever to the user.

WDYT?

Björn

[Message part 2 (application/pgp-signature, inline)]
This bug report was last modified 6 years and 117 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.