Skip to content
This repository has been archived by the owner on Jul 4, 2023. It is now read-only.

Secure Homebrew Installation Without SSL #43582

Closed
seandenigris opened this issue Sep 4, 2015 · 5 comments
Closed

Secure Homebrew Installation Without SSL #43582

seandenigris opened this issue Sep 4, 2015 · 5 comments
Labels
maintainer feedback

Comments

@seandenigris
Copy link

There have been a few threads on the insecurity of having the download snippet on non-SSL http://brew.sh. Two possibilities that I haven't seen suggested, and which circumvent the need for SSL:

  1. (Simpler, but may require newbies an extra step): Instead of linking in several places from secure GitHub pages to the unsecure homepage, flip the links and host the snippet on GitHub (e.g. in the readme), pointing there from the homepage
  2. (Keeps the instructions on the homepage, and gives savvy users the opportunity to maintain their security, but at the expense that naive users will still be vulnerable): Create a checksum file for the installer and sign it with your PGP key. This is what Ubuntu does.
@DomT4
Copy link
Member

DomT4 commented Sep 4, 2015

Hmm. I'd be happy to provide GPG signed version of the document, i.e. install.gpg or such, personally. I don't think that would be too cumbersome to maintain over time. I'll tag this for the other maintainers to look at for discussion.

From feedback we've had elsewhere people who aren't that familiar with OS X or Git find the frontpage script really helpful, so that's unlikely to change in itself. We don't want to make accessing Homebrew more cumbersome for the vast majority of users, but I sympathise with the desire to verify authenticity.

@MikeMcQuaid
Copy link
Member

If we do anything here it'd be moving stuff to the README. I'm not really convinced by that approach, though, as it means people are suddenly presented with a bunch of GitHub UI.

@xu-cheng
Copy link
Member

xu-cheng commented Sep 6, 2015

I don't think GPG sign can help anything if we point to our GPG key in an insecure page.

@DomT4
Copy link
Member

DomT4 commented Sep 6, 2015

We have the GPG key published on Keybase, every keyserver & we could add it to the core repo somewhere if necessary. I'm not too worried on that front. From Mike's reply I presume he isn't super in love with the idea of signing install/uninstall, so my point may be redundant 😸.

I'm kind of bleh on making people click through from the front page to another link to find the correct script. Github's UI can be fairly intimidating to new users.

@tdsmith
Copy link
Contributor

tdsmith commented Apr 10, 2016

We'll fix this correctly as soon as Github Pages supports TLS. I heard a rumor on the breeze that this is expected soonish.

@tdsmith tdsmith closed this as completed Apr 10, 2016
@Homebrew Homebrew locked and limited conversation to collaborators Jul 10, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
maintainer feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@MikeMcQuaid @tdsmith @seandenigris @xu-cheng @DomT4