Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/dist: one-line installer: additional safety/trust features #23430

Closed
pciet opened this issue Jan 12, 2018 · 5 comments
Closed

cmd/dist: one-line installer: additional safety/trust features #23430

pciet opened this issue Jan 12, 2018 · 5 comments

Comments

@pciet
Copy link
Contributor

@pciet pciet commented Jan 12, 2018

The one-line installer tracked in #23381 is something many new and current Go programmers will use, likely downloaded from golang.org. In that issue I mentioned having a sensation of distrust when using the Go 1.10 beta installer, and this issue is to discuss any additional features that may reduce such distrust.

My opinion is the valid HTTPS link source is trustworthy enough (I still ran the Go 1.10 beta) and that this issue is a nice to have perception improvement. @broady mentions in the other issue that a GPG signature is provided for all downloads on golang.org already.

The sensation of distrust is due to thinking that the features provided in the downloaded binary could be easily replicated by a third party with deconstructive intent. Due to the open source of the tool I'm not sure there's much else that could be done there and the website seems to have just about every necessary security feature, but maybe documentation saying "only download from golang.org and check for the browser green certificate verification and verify the GPG key this way" could be part of the tool distribution.

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jan 12, 2018

I'm sorry, I don't fully understand this bug report. When you suggest some additional documentation that "could be part of the tool distribution," what do you mean?

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jan 12, 2018

@cznic Since we control golang.org, we should be able to know for sure whether it is vulnerable as the article describes.

@as
Copy link
Contributor

@as as commented Jan 13, 2018

  • Responds on port 80
  • Not HTTPS
  • Sets magic HSTS header
GET / HTTP/1.1
Host: golang.org

HTTP/1.1 302 Found
Location: https://golang.org/
Content-Type: text/html; charset=utf-8
X-Cloud-Trace-Context: redacted
Date: Sat, 13 Jan 2018 00:38:35 GMT
Server: Google Frontend
Content-Length: 42

<a href="https://golang.org/">Found</a>.

Conclusion: Vulnerable

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Jan 13, 2018

Let's fold this bug into #23381. Obviously whatever we do for #23381 should be secure. No need to track it separately.

@bradfitz bradfitz closed this Jan 13, 2018
@mikioh mikioh changed the title dist: one-line installer: additional safety/trust features cmd/dist: one-line installer: additional safety/trust features Jan 13, 2018
@golang golang locked and limited conversation to collaborators Jan 13, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.