Re: Idea: Install script to better support improving contributor-friendliness of projects

[Mark H Weaver]

Hi,

Никита Чураев <address@hidden> writes:

> Here's how I want to use Guix and it is to increase
> contributor-friendliness of a project, so that the user can simply run
> a distribution-independent command to install all dependencies without
> having to hunt for them with `apt` and `dnf` manually.
>
> Unfortunately, Guix itself is not very easy to install, and the
> instructions are full of rather technical stuff like 'systemd' and
> 'upstart'.
>
> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html
>
> There should be a script like the one Haskell Stack uses:
>
> |curl -sSL https://get.haskellstack.org/ | sh|

I can understand the appeal of such a convenient approach.  However,
this practice of downloading a script via HTTPS and immediately running
it as root without inspection puts you at considerable risk.  A
man-in-the-middle with the resources to compromise or bribe *any*
certificate authority in your trust store (the attacker could choose
which one) could acquire a fraudulent certificate to impersonate our
site, and then substitute in a different script than the one we
provided.  Quite a few organizations are capable of such an attack
today.

Therefore, I believe it would be irresponsible for us to promote this
style of installation.

However, if there's sufficient interest, and if we could produce a
sufficiently robust "auto-install" script, we could perhaps do something
close to what you suggested.  We could provide a script along with a
GnuPG digital signature.  We could ask the user to download the script,
acquire our signing key, verify the signature on the script, and then
run the script as root.

      Mark