[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-users] chicken-install package integrity/signing
From: |
Jason Valencia |
Subject: |
Re: [Chicken-users] chicken-install package integrity/signing |
Date: |
Sun, 23 Dec 2018 23:55:56 +0000 |
Mario Domenech Goulart wrote:
> On Sun, 23 Dec 2018 00:11:51 +0000 Jason Valencia <address@hidden> wrote:
> > Until this is resolved, is anyone aware of good ways to install eggs
> > more securely? A couple options come to mind but they seem overkill.
> >
> > - Running a local egg mirror with henrietta as it looks like it can
> > fetch over HTTPS
> >
> > - Downloading packages with chicken-install -retrieve (to just
> > download instead of installing) and manually inspecting each one
>
> We actually have tarballs for eggs. They are not used by any tool, so
> I guess nobody is really making use of them so far. Anyway, they are
> here: https://code.call-cc.org/egg-tarballs/
>
> They are served via HTTPS and there are checksum files for the
> tarballs. They are not signed, though. There is an index file for
> each tarball repository (one per major CHICKEN version). For example,
> for CHICKEN 5: https://code.call-cc.org/egg-tarballs/5/index.gz
> (gzip-compressed).
>
> The format of the index is:
>
> * The first line is the index format version
>
> * the following lines have this format:
> (<egg> <version> <tarball size> <tarball SHA1 sum> <dependencies> <test
> dependencies>)
Thanks, that is very helpful.
> I have a very ugly script that generates a Makefile to fetch, unpack
> and install egg tarballs. If you are interested, let me know.
That would be great! Even if it is ugly it should give me a better
understanding of how this works.