Get the rvm GPG key via curl from the rvm web side instead of via hkp.

[aknrdureegaesr]

Rationale: hkp is less reliable if installation is behind a firewall,
and the installer might still work even if RVM changes its key.

FWIW: The previous code no longer works, as gpg nowadays requires a
"0x" prefix in front of the fingerprint.

[vesan]

@mpapis What do you think about the change?

[mpapis]

the problem is with gpg V1 not with hkp try something like:

gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 ||
  curl -sSL https://rvm.io/mpapis.asc | gpg --import -

gpg2 should be better then curl

[aknrdureegaesr]

This is funny...

I first had a very similar code gpg ... || curl ... .

But then I thought about it. Thoughts going through my head at that point included:

• We cannot possibly recommend this installation method to anybody who has the slightest reservation regarding security of HTTPS.
• Anything with an || in it makes the whole only marginally more secure (if at all) than either side of the ||.
• I found out the hard way recently the hkp protocol is much less likely to be supported in a firewall environment.
  • Leaving the hkp side can slow down the installation painfully, if the tcp/ip packets attempting to open the hkp connection are simply dropped (instead of receiving a proper "connection refused" answer).
  • This also means the curl side of the || is likely to stay, for the foreseeable future.
• Shorter code is better code.

Neither of these arguments absolutely force doing it this way.

The alternative at this point is

gpg --recv-keys 0x409B6B1796C275462A1703113804BB82D39DC0E3 ||
  curl -sSL https://rvm.io/mpapis.asc | gpg --import -

Just adding 0x in front of the fingerprint is an alternative fix of the problem. That works for both versions of gpg.

Can you give me a (preferably reasonably non-exotic) scenario where this would actually perform any better?

[aknrdureegaesr]

Can you give me a (preferably reasonably non-exotic) scenario where this would actually perform any better?

"You" meant @mpapis . What do you think?

[mpapis]

Gpg V1 has a bug that prevents download, proper solution to this problem would be detecting Gpg V2 - this can be either gpg2 or gpg on newer systems and use it to download the hkp key, the fallback to curl is an bogus alternative, I was thinking on it and we are targeting beginners here, any kind of info would be to much for them, the most reliable and close to security would be using:

gpg2 --recv-keys 0x409B6B1796C275462A1703113804BB82D39DC0E3 ||
  curl -sSL https://rvm.io/mpapis.asc | gpg --import -

[aknrdureegaesr]

We use HTTPS all over the place. You still have not given any argument why avoiding HTTPS in this single, isolated case improves security.

I'm still concerned about many people experiencing some three minutes or so of unneeded installation delay in the common situation when they install behind a firewall that disallows hpk.

[mpapis]

Your right, let's just use curl it will simpler and as you mention - faster in some cases

[aknrdureegaesr]

Thanks, @mpapis !

So this is what we already have. Who does the merge? I could do it myself, but it's more stylish if someone else clicks the "merge pull request" - button.

[vesan]

Thanks both @aknrdureegaesr & @mpapis!

[johnehueston]

Don't know what to do

[aknrdureegaesr]

@johnehueston : With this pull request? Nothing.

It has been merged into the master branched and closed. Nothing is left to be done with it, that I can think of.

If you have questions, one of many things you can do to get them answered: Pull down this repo to your own computer, and find out my private email adress via

git log -1 4d364052ba54eddf53a408b12693d11931bde2e2

and write a email to me. Who knows - I might answer.