stable setup_script URL for integrity checking?

[dmose]

Thanks so much for maintaining these distributions!

In the README, various URLs are pointed to. As an example, https://deb.nodesource.com/setup_8.x is the script for downloading. Ideally, it'd be good to be able to do some level of integrity checking on that file itself.

Currently, I've hashed the existing contents of that file using sha256sum, and am comparing that to what gets downloaded. Ideally, I'd like to make it so that the the automation I'm doing won't suddenly start falling over if setup_8.x gets updated.

How likely is setup_8.x to get updated in the future?

CC @indygreg

[chrislea]

Those setup scripts get updated all the time, probably several times a month on average, generally to add more aliases for additional Debian / Ubuntu based distros. I don't know of any good way to verify the integrity of that file itself over time other than making sure you fetch it over HTTPS (which you have to because of GitHub) and using DNSSEC to increase the security around possible DNS spoofing.

If this is a concern to you, I'd recommend just setting up the repo(s) manually. We're not doing anything particularly interesting with those setup scripts, so this isn't very much work to implement yourself.

[chrislea]

Hope that's helpful, and thank you for all the good work you guys are doing over at Mozilla!

[dmose]

It is; thanks so much for the quick response! And on behalf of a cast of thousands, you're welcome. :-)