[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Idea: Install script to better support improving contributor-friendl
|
From: |
Ludovic Courtès |
|
Subject: |
Re: Idea: Install script to better support improving contributor-friendliness of projects |
|
Date: |
Tue, 28 Nov 2017 17:11:15 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Hello,
Mark H Weaver <address@hidden> skribis:
> Никита Чураев <address@hidden> writes:
>
>> Here's how I want to use Guix and it is to increase
>> contributor-friendliness of a project, so that the user can simply run
>> a distribution-independent command to install all dependencies without
>> having to hunt for them with `apt` and `dnf` manually.
>>
>> Unfortunately, Guix itself is not very easy to install, and the
>> instructions are full of rather technical stuff like 'systemd' and
>> 'upstart'.
>>
>> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html
>>
>> There should be a script like the one Haskell Stack uses:
>>
>> |curl -sSL https://get.haskellstack.org/ | sh|
>
> I can understand the appeal of such a convenient approach. However,
> this practice of downloading a script via HTTPS and immediately running
> it as root without inspection puts you at considerable risk. A
> man-in-the-middle with the resources to compromise or bribe *any*
> certificate authority in your trust store (the attacker could choose
> which one) could acquire a fraudulent certificate to impersonate our
> site, and then substitute in a different script than the one we
> provided. Quite a few organizations are capable of such an attack
> today.
>
> Therefore, I believe it would be irresponsible for us to promote this
> style of installation.
Seconded.
> However, if there's sufficient interest, and if we could produce a
> sufficiently robust "auto-install" script, we could perhaps do something
> close to what you suggested. We could provide a script along with a
> GnuPG digital signature. We could ask the user to download the script,
> acquire our signing key, verify the signature on the script, and then
> run the script as root.
I while back Chris Baines and someone else (?) had worked on such a
script, but I’m not sure what happened.
Chris, does that ring a bell?
It would be nice to have it in time for the new release.
Ludo’.
- Idea: Install script to better support improving contributor-friendliness of projects, Никита Чураев, 2017/11/26
- Re: Idea: Install script to better support improving contributor-friendliness of projects, ng0, 2017/11/26
- Re: Idea: Install script to better support improving contributor-friendliness of projects, Mark H Weaver, 2017/11/26
- Re: Idea: Install script to better support improving contributor-friendliness of projects,
Ludovic Courtès <=
- Re: Idea: Install script to better support improving contributor-friendliness of projects, myglc2, 2017/11/28
- Re: Idea: Install script to better support improving contributor-friendliness of projects, lamefun . x0r, 2017/11/28
- Re: Idea: Install script to better support improving contributor-friendliness of projects, Leo Famulari, 2017/11/28
- Re: Idea: Install script to better support improving contributor-friendliness of projects, Adonay Felipe Nogueira, 2017/11/28
- Re: Idea: Install script to better support improving contributor-friendliness of projects, Pjotr Prins, 2017/11/29
- Re: Idea: Install script to better support improving contributor-friendliness of projects, Ricardo Wurmus, 2017/11/29
- Re: Idea: Install script to better support improving contributor-friendliness of projects, Ludovic Courtès, 2017/11/30