original spec for cargo quickinstall client #53

alsuren · 2022-01-22T13:37:32Z

cargo quickinstall $package should:

Attempt to fetch precompiled binaries for $package if they exist.
- Download from bintray.com.
- Ask an external notary for the hash of any tarball that we download from github releases #56
- Somehow update ~/.cargo/.crates2.toml and ~/.cargo/.crates2.json? #54
- Report the cargo quickinstall invocation to the stats server
Fall back to running cargo install $package.
- Report statistics of how long it took to install, and how big the resulting binaries are. #55

The text was updated successfully, but these errors were encountered:

alsuren · 2022-01-22T13:46:01Z

After talking to my housemate about threat models, I don't think the signatures thing really closes any attack vectors. It might be interesting to ask an external notary to tell us the hash of the tarball from github-releases when we download it. We could then know whether it has ever changed.

alsuren · 2022-01-22T13:51:25Z

I have split everything else out, so I'm closing this issue.

alsuren created this issue from a note in quickinstall kanban (To do) Jan 22, 2022

alsuren closed this as completed Jan 22, 2022

quickinstall kanban automation moved this from To do to Done Jan 22, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

original spec for cargo quickinstall client #53

original spec for cargo quickinstall client #53

alsuren commented Jan 22, 2022 •

edited

Loading

alsuren commented Jan 22, 2022

alsuren commented Jan 22, 2022

original spec for cargo quickinstall client #53

original spec for cargo quickinstall client #53

Comments

alsuren commented Jan 22, 2022 • edited Loading

alsuren commented Jan 22, 2022

alsuren commented Jan 22, 2022

alsuren commented Jan 22, 2022 •

edited

Loading