From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by c5ff346549e7 (Postfix) with ESMTP id 708725D5 for ; Mon, 3 Dec 2018 00:16:40 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.56,308,1539640800"; d="scan'208";a="358373890" Received: from sympa.inria.fr ([193.51.193.213]) by mail2-relais-roc.national.inria.fr with ESMTP; 03 Dec 2018 01:16:39 +0100 Received: by sympa.inria.fr (Postfix, from userid 20132) id 14AF782564; Mon, 3 Dec 2018 01:16:39 +0100 (CET) Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by sympa.inria.fr (Postfix) with ESMTPS id 2B68A824CF for ; Mon, 3 Dec 2018 01:16:34 +0100 (CET) Authentication-Results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=edwin+ml@etorok.eu; spf=Pass smtp.mailfrom=edwin+ml@etorok.eu; spf=None smtp.helo=postmaster@relay3-d.mail.gandi.net IronPort-PHdr: =?us-ascii?q?9a23=3Ao6uFLR3HRALTsLXFsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?se0fLfad9pjvdHbS+e9qxAeQG9mDu7Qc06L/iOPJYSQ4+5GPsXQPItRndiQuro?= =?us-ascii?q?EopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZv?= =?us-ascii?q?JuTyB4Xek9m72/q99pHPYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+?= =?us-ascii?q?VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfM?= =?us-ascii?q?QA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmiD?= =?us-ascii?q?oJOSA38G/UhMJ/gq1UrxC9qBJw2IPUfIKYOeBicq/Bc94XR2xMVdtRWSxbBYO8?= =?us-ascii?q?apMCAeUcMudWron9oUYFowW4HQm2AvvvySJDi3jo0qIn3eUhEAfG0AslH9IKq3?= =?us-ascii?q?nbssn1NKAIUeCyz6nE1yvMb+5P1Dr79YPGfBchofSWUrJxd8rc0UYvFwLZjlWQ?= =?us-ascii?q?tIzqJC6V1v8TvGiB8+VgUuSvi3I5pAF3vjij3Nsjio7Mho4NxVDE9Dl5wIYoJd?= =?us-ascii?q?KjUkJ0fdmkEJ5WuiqHNIV2WtsvT391tCs40LELu4K3cDIXxJkkyRPTceGLfoyI?= =?us-ascii?q?7x77V+ucIi10iXZndb6liBu/8lKsx+z8W8SyzV1EtDBKksPWuXAIzxHT6taISv?= =?us-ascii?q?96/kq5wzaAyQTT5ftEIE06jKbUNoQtwrsqmZoStUTPBCD2l1/wjKCLd0Uo4O6o?= =?us-ascii?q?5Pr7Yrn+p5+cMZF7ih3mP6gwh8CyA/40PwoSU2SB5Oix17Pu8VfkTLhOjvA6iq?= =?us-ascii?q?zZv4rbJcQfqK65GQhV0oM75hmhEjin3tUYnX8AIFJAfBKKlJbmO03JIPDiCve/?= =?us-ascii?q?gE6gnyl2x/zeJL3uHo3NLmTfkLfmZbty91RTyA83zdxG45JUC6oBIO7oV0/qtN?= =?us-ascii?q?3YCwc5PBauz+bmDtV9zIIeVniVDq+XKqOB+WOPs+kmJu3JYI4OpB78LeIk7rjg?= =?us-ascii?q?lywXg1gYKISlwpoRIEwmBGplaxGUbWXthJQEFU8Hog0kS++shUDUAm0bXGq7Q6?= =?us-ascii?q?9pvmJzM4mhF4qWHtn80ozE5z+yG9htXk4DD1mNFXnycIDdAqUBdCWIJcwnnyFW?= =?us-ascii?q?DOH9Gb9k7gmnsUrB85QiNvDdo3RKuI7kzt92oeDOx0lrqG5ESv+F2mTIdFla22?= =?us-ascii?q?MFQzhsgfJlrEh02wzG3e59iv1cU9Na4f9IFAE3KcyEwg=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BPAAC0dARch8O3RtlkGgEBAQEBAgEBA?= =?us-ascii?q?QEHAgEBAQGBZYJqA38nCoNvlCGCDYoHjzsNIwmEQAKDNBoHAQQ0EgEDAQECAQE?= =?us-ascii?q?BAQETAQEBCA0JCBsOIwyCNiKCZQECAyMPAVYjAgImAgJXEwgBAYMdAYIFC6BpE?= =?us-ascii?q?YEjgS+ELQGEYoEOgQuLEVWBQYE4gW1Qg0wCAYFKY4I3glcCiQyXNAmHAIo2Bhi?= =?us-ascii?q?CKIdDhzuCe4puiwSBXYF2c02CbAmCLINThlGEAkAyAYEni1UBgR4BAQ?= X-IPAS-Result: =?us-ascii?q?A0BPAAC0dARch8O3RtlkGgEBAQEBAgEBAQEHAgEBAQGBZYJ?= =?us-ascii?q?qA38nCoNvlCGCDYoHjzsNIwmEQAKDNBoHAQQ0EgEDAQECAQEBAQETAQEBCA0JC?= =?us-ascii?q?BsOIwyCNiKCZQECAyMPAVYjAgImAgJXEwgBAYMdAYIFC6BpEYEjgS+ELQGEYoE?= =?us-ascii?q?OgQuLEVWBQYE4gW1Qg0wCAYFKY4I3glcCiQyXNAmHAIo2BhiCKIdDhzuCe4pui?= =?us-ascii?q?wSBXYF2c02CbAmCLINThlGEAkAyAYEni1UBgR4BAQ?= X-IronPort-AV: E=Sophos;i="5.56,308,1539640800"; d="scan'208";a="358373862" Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by mail2-smtp-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Dec 2018 01:16:33 +0100 X-Originating-IP: 88.97.48.65 Received: from [192.168.178.27] (unknown [88.97.48.65]) (Authenticated sender: edwin@etorok.eu) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 57E3660002 for ; Mon, 3 Dec 2018 00:16:33 +0000 (UTC) From: =?UTF-8?B?RWR3aW4gVMO2csO2aw==?= To: caml-list@inria.fr References: <20181126101448.3ee5jgz4c6ulsbbr@first.in-berlin.de> <469288B6-200B-400D-8BCB-C3C53B0954B3@exchange.mit.edu> <7429727.XKSIZ6bzdz@agaric> Message-ID: <97acc819-6c68-3a0d-e05a-fda0a6e75bf7@etorok.eu> Date: Mon, 3 Dec 2018 00:16:32 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <7429727.XKSIZ6bzdz@agaric> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-GB Subject: [Caml-list] Build-/Installation-Tools - not enogh of them? Reply-To: =?UTF-8?B?RWR3aW4gVMO2csO2aw==?= X-Loop: caml-list@inria.fr X-Sequence: 17206 Errors-to: caml-list-owner@inria.fr Precedence: list Precedence: bulk Sender: caml-list-request@inria.fr X-no-archive: yes List-Id: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 30/11/2018 16:31, Louis Gesbert wrote: >> - John F Carr, 27/11/2018 13:40 - >> I have a related request. I am not a trusting person. I do not like "curl | sudo sh" type installation methods. > You're not the only one :) > Some notes on opam's security model: > > [...] > - we do advertise `curl | sh` on the installation page as the easiest entry point, but the script is quite trivial and only uses root to copy to your prefix; it's very easy to fetch the binary by hand from Github if you prefer not to run it, and of course, you can also build from source using the bootstrap scripts. Malicious attacks aren't the only reason why 'curl | sh' is dangerous, it lacks basic integrity checks before execution: * the curl download could be interrupted due to any number reasons, and then the shell will attempt to execute the incomplete lines. Most of the time that is harmless, but what if the script contained a 'rm -rf ${FOO}/${BAR}' that gets truncated to 'rm -rf ${FOO}/', such truncation scenarios are probably not tested by a CI * the server could reply with something else than your file, not necessarily due to malicious reasons. Consider what would happen if github has a hiccup and shows replies with https://github.com/503.html that gets piped into the shell, which attempts to execute it: are we sure it doesn't have any unintended consequences (or someone might put a joke about rm in one of the error pages some day) A slightly better approach would be: curl -sL --fail https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh -o install-opam.sh && sh install-opam.sh Although curl's manpage says that --fail is not fail-safe, and it could still return success for a 401 error sometimes. This command would solve the concerns above but then you'd have to keep the webpage and the repo in sync: curl -sL https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh -o install.sh-opam.tmp && echo '0ebdb94df8940f838727bd12728d778a4a67e8006db3df330b4e0171c7f29a81  install.sh-opam.tmp' | sha256sum -c && mv install.sh-opam.tmp install-opam.sh && sh install-opam.sh Perhaps the checksum file could be hosted in the repo, and point people to run the script from a particular tag on the opam repo (to avoid race conditions between fetching the checksum file and the file itself). In the end I'm not sure if the added complication is worth it, might be easier to just point people to the releases page where the install.sh could be downloaded from and executed. If you do plan to keep 'curl | sh', I'd suggest to include at least the --fail from above. Best regards, --Edwin -- Caml-list mailing list. Subscription management and archives: https://sympa.inria.fr/sympa/arc/caml-list https://inbox.ocaml.org/caml-list Forum: https://discuss.ocaml.org/ Bug reports: http://caml.inria.fr/bin/caml-bugs